HHS, cybersecurity agency could join forces under new legislation

© BillionPhotos.com - stock.adobe.com

This year’s cyberattack on Change Healthcare has sparked federal legislation to bolster computer network security for physicians offices, hospitals and health systems.

The Healthcare Cybersecurity Act would direct the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services to join forces and “make resources available to non-federal entities relating to cyber threat indicators and appropriate defense measures,” said Sen. Jacky Rosen (D-Nevada).She introduced the bipartisan bill with Sen. Todd Young (R-Indiana) and Sen. Angus King (I-Maine).

“The health care industry is still reeling from recent cyberattacks, and rural and small health care entities in Nevada have been particularly affected,” Rosen said in a news release. “It’s imperative that we take measures to improve cybersecurity in the health care sector to prevent data breaches and protect Nevadans, which is why I’m introducing this bipartisan legislation. I’ll keep working to strengthen the cybersecurity of this critical sector and keep people safe from malicious actors.”

The legislation would create a special liaison to HHS within CISA to coordinate during cybersecurity incidents and collaborate to support health care and public health sector entities.

“In recent years, hospitals and other health care facilities in Indiana and across America have experienced a dramatic increase in cyberattacks,” Young said in the news release. “Our bipartisan bill will take critical steps to strengthen cybersecurity infrastructure and better protect patients’ personal data.”

An emerging threat

Although security measures may improve, federal experts are not certain that health care cyberattacks will relent anytime soon. Also this month, the Health Sector Cybersecurity Coordination Center (HC3) within HHS published the threat briefing “Black Basta and Healthcare,” detailing “the emergence of a new and prolific ransomware group.”

Black Basta became known starting in 2022 and “appears to operate at a high and experienced maturity level, which was demonstrated through their capability to efficiently infiltrate large organizations,” the briefing said. A year later, it was one of the most prolific ransomware groups, using the double extortion tactic to steal data prior to encrypting files. That ensures the group can sell the data if victims do not pay ransom, so Black Basta can benefit financially, and the group claims to have extorted more than $500 million from more than 500 victims worldwide, according to HC3.

A case study detailed a 2022 ransomware attack on “a major health care provider in the United States,” disrupting services and compromising sensitive patient data. The attack began with a phishing campaign targeting staff, and the hackers gained access through malicious attachments. With access to the computer network, Black Basta stole large volumes of patient records, then encrypted the files.

“The attack caused significant operational downtime, forcing the provider to cancel appointments and reroute emergency cases to other facilities,” the HC3 threat briefing said. “The health care provider faced substantial financial costs,including the ransom demand (reported to be millions of dollars), recovery expenses, and potential fines for data breaches.”

‘A lot of cooks in the cyber kitchen’

Some experts believe Black Basta may operate from Eastern Europe or Russia, regions “known to be less cooperative with international efforts to stop cybercrime,” according to HC3.

But the group’s possible affiliations are not known, or not revealed, and in hack attacks, details sometimes remain muddy. There are a number of federal agencies – Sen. Mark R. Warner counted at least 16 – with some jurisdiction over health care and cyber.

This summer, bill co-sponsor King spoke and published a transcript of dialogue from a Senate Armed Services Committee hearing. He questioned Michael Sulmeyer, DPhil, a cyber adviser to the Army who is President Joe Biden’s nominee to serve as inaugural assistant secretary of defense for cyber policy.

“If we are talking about a cyberattack, it is becoming harder … to determine where it comes from. Does the U.S. government have sufficient resources in a coherent structure to do attribution of cyberattacks in a timely and reasonably certain way?” King asked.

“Senator, the tools and the experience necessary to attribute adversary cyber activity have to keep evolving with their behavior. I believe that historically we have been able to attribute and understand with varying levels of confidence at different times who is doing what,” Sulmeyer said. “The difference is when the government is willing and when it makes sense to say so publicly versus when to be private about it, but I commit to working with the committee and of course my leadership on that transparency.”

“My question is, ‘Who is we?’ Is there a central office somewhere in the federal government of attribution or is some of it in the FBI, some of it in the CIA? I am just concerned that this is such an important question that institutionally and structurally, we don't have a central area to do this essential function,” King said.

“It is a good point, Senator, that there’s a lot of different organizations, a lot of cooks in the cyber kitchen, so because different kinds of malware have different technical specifications, you want the best experts to be able to come look at any given piece of code,” Sulmeyer said. “I would want to just make sure that community of interest is clear about who they are and that they have the tools they need to work fast and then share that.”

Federal action or inaction?

Last year, an estimated 133 million people had their health data breached, according to King’s office. Earlier this year, King and Sen. Marco Rubio (R-Florida) introduced the Strengthening Cybersecurity in Health Care Act, which would require HHS to evaluate its cybersecurity systems and provide biannual reports on current best practices and progress on future programs.

King also served as co-chair of the Cyberspace Solarium Commission, a panel created by Congress in starting in fiscal year 2019 and publishing its main report in March 2020. There were more than 80 recommendations for federal cybersecurity reform to “strengthen norms and non-military tools, promote national resilience, reshape the cyber ecosystem, operationalize public-private collaboration, and preserve and employ military instruments of national power.”