WannaCry outbreak was first big test of HHS’s new cybersecurity center for health sector

When the ransomware crippled the British National Health Service last month, the response at the U.S. Department of Health and Human Services was led by a new cybersecurity watch center, officials told lawmakers.
The HHS building in Washington, D.C. (jinjian liang / Flickr)

When the WannaCry computer worms crippled the British National Health Service last month, the response at the U.S. Department of Health and Human Services was led by a new cybersecurity watch center, lawmakers heard Thursday.

The Healthcare Cybersecurity and Communications Integration Center, “coordinated the response to WannaCry,” Steve Curren, director of resilience in the HHS Office of Emergency Management, told a House Energy and Commerce subcommittee.

When the WannaCry worm struck, crippling dozens of British hospitals, HHS officials “took immediate action to engage [the] broader U.S. health sector and ensure that IT security specialists had the information they needed to protect against, respond to and report intrusions,” Curren said.

The HCCIC, (pronounced “aitch-kick”) came online in May is modeled on the Department of Homeland Security’s National Cybersecurity and Communications Integration Center — a 24-hour watch center that pulls in real-time data from vital national industries like banking and telecommunications and distributes warnings and other information.


The reaction to WannaCry “included [conference] calls with up to 3,100 participants each; daily messages with answers to frequently asked questions; [and lists of] resources from other federal departments and agencies,” Curren said.

The center was the principle topic of discussion at the hearing of the Subcommittee on Oversight and Investigations, chaired by Rep. Tim Murphy, R-Pa. HCCIC “could dramatically change how HHS handles cyberthreats internally,” said Murphy in an opening statement. “It is our understanding that the HCCIC will serve as a focal point for cyberthreat information collection and dissemination from HHS’s internal networks, as well as external sources.”

HCCIC, added HHS Deputy CISO Leo Scanlon, was set up to “support public-private partnership through regular engagement with and outreach to the [healthcare] sector …[and] leverage HHS capabilities and outreach.”

The healthcare sector, because it is made up of entities that vary from a single-doctor practice to multi-national insurance companies; and because it holds such valuable personal data on its customers, is considered especially difficult to secure against online threats.

“Clearly, the sector needs leadership,” said full Energy and Commerce Chairman Rep. Greg Walden, R-Ore. “HHS is uniquely situated to fill this void. Historically, the Department has struggled to effectively embrace this responsibility, but that trend cannot continue,” he went on, adding “The Department’s actions in response to the WannaCry ransomware — coordinated through the newly established HCCIC — have generally received praise from the sector.”


“We need to up our game,” agreed ranking member Frank Pallone, D-N.J., “We still have a long, long way to go to improve our preparedness in this area.”

HCCIC, said Scanlon, is designed to provide “a one stop point pf access to HHS cybersecurity capabilities [for the private sector] a cyber 311, especially [for] the small and rural provider entities who rarely engage with the federal government.”

Small providers are often considered most at risk because they do not have staff dedicated to IT security, and may not be able to afford the most up to date, and therefore most secure, technology.

Scanlon said the “most important outputs” from the HCCIC would be warnings, bulletins and other products which made sense to non-cybersecurity specialists and which “are human-consumable by entities that lack the machine-speed capability to take advantage of” automated information sharing initiatives run by DHS and more established information sharing outfits.

“It’s an enormous firehose of information which ultimately has to be absorbed by humans,” he said of threat-sharing mechanisms.

Latest Podcasts