[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]





 
 EXAMINING THE ROLE OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES IN 
                       HEALTH CARE CYBERSECURITY

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              JUNE 8, 2017

                               __________

                           Serial No. 115-37
                           
                           
                           
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                          
                           
                           


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                        
                        
                            _________ 

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 26-585                  WASHINGTON : 2018      
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                         
                        
                        
                        
                    COMMITTEE ON ENERGY AND COMMERCE

                          GREG WALDEN, Oregon
                                 Chairman
JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Vice Chairman                        Ranking Member
FRED UPTON, Michigan                 BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
TIM MURPHY, Pennsylvania             ELIOT L. ENGEL, New York
MICHAEL C. BURGESS, Texas            GENE GREEN, Texas
MARSHA BLACKBURN, Tennessee          DIANA DeGETTE, Colorado
STEVE SCALISE, Louisiana             MICHAEL F. DOYLE, Pennsylvania
ROBERT E. LATTA, Ohio                JANICE D. SCHAKOWSKY, Illinois
CATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky              JOHN P. SARBANES, Maryland
PETE OLSON, Texas                    JERRY McNERNEY, California
DAVID B. McKINLEY, West Virginia     PETER WELCH, Vermont
ADAM KINZINGER, Illinois             BEN RAY LUJAN, New Mexico
H. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York
GUS M. BILIRAKIS, Florida            YVETTE D. CLARKE, New York
BILL JOHNSON, Ohio                   DAVID LOEBSACK, Iowa
BILLY LONG, Missouri                 KURT SCHRADER, Oregon
LARRY BUCSHON, Indiana               JOSEPH P. KENNEDY, III, 
BILL FLORES, Texas                       Massachusetts
SUSAN W. BROOKS, Indiana             TONY CARDENAS, California
MARKWAYNE MULLIN, Oklahoma           RAUL RUIZ, California
RICHARD HUDSON, North Carolina       SCOTT H. PETERS, California
CHRIS COLLINS, New York              DEBBIE DINGELL, Michigan
KEVIN CRAMER, North Dakota
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia

              Subcommittee on Oversight and Investigations

                        TIM MURPHY, Pennsylvania
                                 Chairman
H. MORGAN GRIFFITH, Virginia         DIANA DeGETTE, Colorado
  Vice Chairman                        Ranking Member
JOE BARTON, Texas                    JANICE D. SCHAKOWSKY, Illinois
MICHAEL C. BURGESS, Texas            KATHY CASTOR, Florida
SUSAN W. BROOKS, Indiana             PAUL TONKO, New York
CHRIS COLLINS, New York              YVETTE D. CLARKE, New York
TIM WALBERG, Michigan                RAUL RUIZ, California
MIMI WALTERS, California             SCOTT H. PETERS, California
RYAN A. COSTELLO, Pennsylvania       FRANK PALLONE, Jr., New Jersey (ex 
EARL L. ``BUDDY'' CARTER, Georgia        officio)
GREG WALDEN, Oregon (ex officio)
  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Tim Murphy, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................     1
    Prepared statement...........................................     3
Hon. Diana DeGette, a Representative in Congress from the state 
  of Colorado, opening statement.................................     4
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     5
    Prepared statement...........................................     6
Hon. Michael C. Burgess, a Representative in Congress from the 
  State of Texas, prepared statement.............................     8
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................     9
    Prepared statement...........................................    10

                               Witnesses

Steve Curren, Director, Division of Resilience, Office of 
  Emergency Management, Office of the Assistant Secretary for 
  Preparedness and Response, U.S. Department of Health and Human 
  Services.......................................................    11
    Prepared statement...........................................    14
    Answers to submitted questions...............................    47
Leo Scanlon, Deputy Chief Information Security Officer, U.S. 
  Department of Health and Human Services........................    22
    Prepared statement...........................................    14
    Answers to submitted questions...............................    59
Emery Csulak, Chief Information Security Officer and Senior 
  Privacy Official, Centers for Medicare and Medicaid Services, 
  Co-Chair, Health Care Industry Cybersecurity Task Force........    23
    Prepared statement...........................................    14
    Answers to submitted questions...............................    78


 EXAMINING THE ROLE OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES IN 
                       HEALTH CARE CYBERSECURITY

                              ----------                              


                         THURSDAY, JUNE 8, 2017

                  House of Representatives,
      Subcommittee on Oversight and Investigations,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:17 a.m., in 
room 2322 Rayburn House Office Building, Hon. Tim Murphy 
(chairman of the subcommittee) presiding.
    Members present: Representatives Murphy, Griffith, Burgess, 
Brooks, Collins, Walberg, Walters, Costello, Carter, Walden (ex 
officio), DeGette, Castor, Tonko, Ruiz, Peters, and Pallone (ex 
officio).
    Staff present: Jennifer Barblan, Chief Counsel, Oversight 
and Investigations; Elena Brennan, Legislative Clerk, Oversight 
and Investigations; Katie McKeough, Press Assistant; John Ohly, 
Professional Staff, Oversight & Investigations; Jennifer 
Sherman, Press Secretary; Hamlin Wade, Special Advisor, 
External Affairs; Jessica Wilkerson, Professional Staff, 
Oversight and Investigations; Julie Babayan, Minority Counsel; 
Chris Knauer, Minority Oversight Staff Director; Miles 
Lichtman, Minority Policy Analyst; Kevin McAloon, Minority 
Professional Staff Member; Dino Papanastasiou, Minority GAO 
Detailee; Andrew Souvall, Minority Director of Communications, 
Outreach and Member Services; and C.J. Young, Minority Press 
Secretary.

   OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Murphy. Good morning. Commencing a hearing here on 
``Examining the Role of the Department of Health and Human 
Services on Health Care Cybersecurity.'' Welcome.
    We are here today to continue our examination of 
cybersecurity in the health sector as we discussed at our 
hearing in April about the role of public-private partnerships. 
Cybersecurity in this sector ultimately comes down to patient 
safety. We had a glimpse just weeks ago at what a large-scale 
cyber incident could do the health care sector including the 
impact upon patients during the WannaCry ransomware event. 
Today, we turn to the role the Department of Health and Human 
Services, HHS, has in health care cybersecurity.
    Recognizing the critical importance of cybersecurity in 
this sector, 2 years ago in the Cybersecurity Act of 2015 
Congress asked HHS to undertake two evaluations: one evaluating 
the department's internal preparedness for managing 
cyberthreats and a second done alongside industry stakeholders 
examining the challenges with cybersecurity in the health care 
sector. These evaluations are now complete and give not only 
the Congress but the entire health care sector an opportunity 
to better understand the agency's approach to cybersecurity. 
The reports also allow us to establish a baseline for 
evaluating HHS' progress, moving forward.
    HHS' internal preparedness report sets out the roles and 
responsibilities of various HHS offices in managing 
cyberthreats, among other information. For example, the report 
identified a single HHS' official--the cybersecurity designee--
assigning primary responsibility for cybersecurity efforts 
across agency. But what precisely does this mean and how does 
the cybersecurity designee work with the 11 components 
identified by HHS as having cybersecurity responsibilities? In 
addition, the committee has learned that many of the details 
may already be obsolete due to recent and ongoing changes in 
HHS' internal structure.
    For example, HHS' creation of a Health Cybersecurity and 
Communications Center, or HCCIC, modeled on the National 
Cybersecurity and Communications Integration Center, or NCCIC, 
operated by the Department of Homeland Security could 
dramatically change how HHS handles cyberthreats internally. It 
is our understanding that the HCCIC will serve as a focal point 
for cyberthreat information, collection and dissemination from 
HHS' internal networks as well as external sources. However, 
details about this new function remain limited. Therefore, how 
HCCIC fits in the department's internal structure and 
preparedness as well as its role with respect to private sector 
partners will be a focus of today's discussion.
    The second report released late last week focused broadly 
on the challenges of cybersecurity in the health care industry. 
This report reflects the findings and recommendations of the 
Health Care Industry Cybersecurity Task Force. The task force 
members were selected from a wide range of stakeholder 
including federal agencies, the health care sector and 
cybersecurity experts. And the report does not mince words, 
broadly concluding that health care cybersecurity is in 
critical condition. The report identified six imperatives such 
as defining leadership and expectations for the industry, 
increasing the security of medical devices and health IT and 
improving information sharing within the industry. It made 27 
specific recommendations. Many of these recommendations call on 
HHS to provide more leadership and guidance for the sector as a 
whole.
    It is clear from these reports that there is much HHS can 
and should do to help elevate cybersecurity across the sector. 
The importance of meeting this challenge head on was 
illuminated in recent weeks by the widely publicized WannaCry 
ransomware. Frankly, we are lucky the United States was largely 
spared from this infection, which temporarily crippled the 
National Health Service in England. Doctors and nurses were 
locked out of patient records there and hospitals diverted 
ambulances to nearby hospitals and cancelled nonemergency 
services after widespread infection of the ransomware.
    This incident was an important test of HHS' response to a 
potentially serious event and thus far the feedback has been 
positive. Reports suggested HHS took a central role in 
coordinating resources, disseminating information and serving 
as a nurse in the public-private response efforts. But this was 
just one incident and HHS must remain vigilant. The WannaCry 
infection was not the first widespread cyber incident nor will 
it be the last.
    Therefore, a commitment to raising the bar for all 
participants in the sector no matter how large or small needs 
to be embraced. This is a collective responsibility and HHS has 
an opportunity to show leadership and to set the tone. Because 
this is no longer just about protecting personal information or 
patient data. This is about patient safety.
    So I want to thank our witnesses for appearing today and 
look forward to learning more about HHS' efforts on this 
important topic.
    I want to also say we recognize that this is a very, very 
serious threat and we will be asking more details about that 
later. But one that has had that impact upon the National 
Health Service in England, I shudder to think what happens 
here.
    If we are talking about threats to patients' medical 
records, prescribing records, medical equipment, et cetera, 
none of this should be taken lightly. This is a very serious 
problem.
    [The prepared statement of Mr. Murphy follows:]

                 Prepared statement of Hon. Tim Murphy

    We are here today to continue our examination of 
cybersecurity in the health care sector. As we discussed at our 
hearing in April about the role of public-private partnerships, 
cybersecurity in this sector ultimately comes down to patient 
safety. And we got a glimpse just weeks ago at what a large-
scale cyber incident could do to the health care sector-
including the impact on patients-during the WannaCry ransomware 
event. Today, we turn to the role of the Department of Health 
and Human Services (HHS) in health care cybersecurity.
    Recognizing the critical importance of cybersecurity in 
this sector, two years ago, in the Cybersecurity Act of 2015, 
Congress asked HHS to undertake two evaluations-one evaluating 
the Department's internal preparedness for managing cyber 
threats, and a second done alongside industry stakeholders 
examining the challenges of cybersecurity in the health care 
sector. These evaluations are now complete, and give not only 
the Congress, but the entire health care sector, an opportunity 
to better understand the agency's approach to cybersecurity. 
The reports also allow us to establish a baseline for 
evaluating HHS' progress moving forward.
    HHS's internal preparedness report sets out the roles and 
responsibilities of various HHS offices in managing cyber 
threats, among other information. For example, the report 
identified a single HHS official--the cybersecurity 
``designee''--as having primary responsibility for 
cybersecurity efforts across the agency. But what precisely 
does this mean, and how does this cybersecurity designee work 
with the eleven components identified by HHS as having 
cybersecurity responsibilities? In addition, the Committee has 
learned that many of the details may already be obsolete due to 
recent and ongoing changes in HHS's internal structure.
    For example, HHS's creation of a Health Cybersecurity and 
Communications Integration Center (HCCIC), modeled on the 
National Cybersecurity and Communications Integration Center 
(NCCIC) operated by the Department of Homeland Security, could 
dramatically change how HHS handles cyber threats internally. 
It is our understanding that the HCCIC will serve as a focal 
point for cyber threat information collection and dissemination 
from HHS's internal networks, as well as external sources. 
However, details about this new function remain limited. 
Therefore, how the HCCIC fits in to the Department's internal 
structure and preparedness, as well as its role with respect to 
private sector partners will be a focus of today's discussion.
    The second report, released late last week, focuses broadly 
on the challenges of cybersecurity in the health care industry. 
This report reflects the findings and recommendations of the 
Health Care Industry Cybersecurity Task Force. The Task Force 
members were selected from a wide-range of stakeholders, 
including federal agencies, the health care sector and 
cybersecurity experts. The report does not mince words, broadly 
concluding that health care cybersecurity is in critical 
condition. The report identified six imperatives-such as 
defining leadership and expectations for the industry, 
increasing the security of medical devices and health IT, and 
improving information sharing within the industry-and made 27 
specific recommendations. Many of these recommendations call on 
HHS to provide more leadership and guidance for the sector as a 
whole.
    It is clear from these reports that there is much that HHS 
can and should do to help elevate cybersecurity across the 
sector. The importance of meeting this challenge head-on was 
illuminated in recent weeks by the widely-publicized WannaCry 
ransomware. Frankly, we are lucky that that United States was 
largely spared from this infection, which temporarily crippled 
the National Health Service in England. Doctors and nurses were 
locked out of patient records. Hospitals diverted ambulances to 
nearby hospitals and cancelled non-emergency services after 
widespread infection of the ransomware.
    This incident was an important test of HHS's response to a 
potentially serious event and thus far, the feedback has been 
positive. Reports suggest that HHS took a central role in 
coordinating resources, disseminating information and serving 
as a nerve center for public-private response efforts. But this 
was just one incident, and HHS must remain vigilant. The 
WannaCry infection was not the first widespread cyber incident, 
nor will it be the last.
    Therefore, a commitment to raising the bar, for all 
participants in the sector--no matter how large or small, needs 
to be embraced. This is a collective responsibility and HHS has 
an opportunity to show leadership and to set the tone. Because 
this is no longer just about protecting personal information or 
patient data. This is about patient safety.
    I want to thank our witnesses for appearing today and look 
forward to learning more about HHS's efforts on this important 
topic. I now recognize the Ranking Member, Ms. DeGette, for her 
opening statement.

    Mr. Murphy. So I now want to recognize the ranking member, 
Ms. DeGette of Colorado, for her opening statement.

 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you, Mr. Chairman.
    The country's vital infrastructure is under attack by 
actors with malicious intent. We are constantly seeing new 
headlines about vulnerabilities and cyberattacks against our 
systems and these attacks are becoming more frequent and more 
sophisticated.
    In the health care sector, cyberattacks are particularly 
devastating, obviously because they can harm patients. Just 
last month, as the chairman mentioned, WannaCry ransomware 
crippled information systems around the world.
    Hackers infected an estimated 200,000 computers in more 
than 150 countries. For the systems affected in the health care 
sector, the WannaCry attack meant that patients could not get 
their prescriptions at pharmacies and doctors even could not 
conduct surgery in their hospitals.
    Cyberattacks in this sector are unfortunately not a new 
problem. For example, in 2015 more than 113 million medical 
records were reportedly compromised by a cyber intrusion.
    In one widely publicized case involving a health insurance 
company, the personal information of nearly 79 million people 
was compromises.
    Cyberthreats have become a new reality that we must all 
face. Information systems connected to the internet are vital 
to the operation of our economy and our government. While this 
interconnectedness is essential, it brings vulnerabilities and 
unique challenges.
    Just this last week, an HHS task force released a major 
report on how to address cyber vulnerabilities within the 
department and the health care sector.
    This report identified many cybersecurity problems 
confronting the industry, the department and its multitude of 
health-related agencies.
    These problems include a lack of cybersecurity expertise in 
the workforce, a reliance on outdated legacy equipment and a 
failure of certain organizations to address vulnerabilities 
that can harm patients.
    Our witnesses from HHS today will speak about their ongoing 
efforts to address these threats both within the department and 
within the larger health care sector. I am also aware that HHS 
is working on a health care cyber center which I expect we will 
also address today.
    As with our previous hearing on information-sharing 
analysis centers, I think it's so important that we look for 
solutions. But toward that end I also want to make sure that 
our solutions are measurable, efficient and effective in 
protecting our nation's networks and systems. Defending our 
nation's health care sector against a wide range of cyber 
threats requires a coordinated effort involving many players 
and approaches.
    Because this is such an important area, we must continue to 
find ways to strengthen our cybersecurity systems, particularly 
relating to health care, including the problem of ransomware 
and the threat of insurance and medical records theft.
    Mr. Chairman, I am looking forward to continuing to work 
closely on these issues with you as we do our work in this 
vital area, and I yield back.
    Mr. Murphy. Thank you.
    I now want to recognize the chairman of the full committee, 
Mr. Walden.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. I thank the gentleman for having this very 
important hearing. This is really critical work we are all 
engaged in together.
    Our lives continue to become more interconnected every day. 
This explosion of digital connectivity and information 
technology provides us with previously unimaginable 
convenience, engagement, capabilitiesm and opportunities for 
innovation.
    But for all its benefits, the digitization of our daily 
lives also comes with risk. The internet information 
technologies are inherently insecure. With time, motivation, 
and resources, someone halfway around the world can find a way 
into almost any product system.
    As the opportunities for attackers proliferate, the 
potential consequences of their actions are becoming more and 
more costly and severe. As more products, services, and 
industries become connected to the digital world, we must 
acknowledge that the threat is no longer just data and 
information. It is literally public health and safety.
    For the health care sector, these factors present a very, 
very real threat and equally daunting challenge. As we 
witnessed with the recent WannaCry ransomware outbreak, 
portions of the National Health System in the U.K. had to turn 
away patients except for emergency care after vulnerable 
systems fell victim to the exploit.
    WannaCry did not appear to be a targeted attack on health 
care but the potential consequence of the exploit on health 
care--including patient safety--was far more severe. If this 
had been a more sophisticated exploit or a target attack on the 
health care sector, the consequences, as we all know, would 
have been far worse.
    The health care sector is starting to grasp this new 
reality but, as noted in the recent task force report, which we 
will discuss today, health care cybersecurity is in ``critical 
condition'' and requires ``immediate and aggressive 
attention,'' which brings us to today's hearing.
    Clearly, the sector needs leadership. HHS is uniquely 
situated to fill this void. Historically, the department has 
struggled to effectively embrace this responsibility but that 
trend cannot continue.
    More recently, HHS has started to demonstrate a commitment 
and focus to addressing the rampant challenges in health care 
cybersecurity. For example, the department's actions in 
response to the WannaCry ransomware--coordinated through the 
newly established HCCIC--have generally received praise from 
the sector.
    This and other recent actions are positive signs that the 
department is heading in the right direction. But HHS has a 
long way to go to demonstrate the leadership necessary to 
inspire change across the sector. It needs to be open and 
transparent about who is in charge and provide clarity about 
the roles and responsibilities, not only internally but across 
the sector. They need to make sure that a small rural hospital 
not only knows exactly who to call but also has access to the 
resources and information to keep their patients safe.
    This hearing provides an opportunity for HHS to provide 
some much-needed clarity about your internal structure, as well 
as outline plans to elevate cybersecurity across the sector.
    The sector is operating on borrowed time. Cyber threat is 
spreading and left unchecked it will pose an increasingly 
greater threat to public health. So we appreciate your 
guidance, your testimony and your leadership on this.
    We look forward to continuing the partnership to make sure 
that Americans are safe and secure wherever they are as it 
relates to the internet.
    [The prepared statement of Mr. Walden follows:]

                 Prepared statement of Hon. Greg Walden

    Our lives continue to become more interconnected every day. 
This explosion of digital connectivity and information 
technology provides us with previously unimaginable 
convenience, engagement, capabilities, and opportunities for 
innovation.
    For all its benefits, however, the digitization of our 
daily lives also comes with risk. The internet and information 
technologies are inherently insecure. With time, motivation, 
and resources, someone halfway around the world can find a way 
into almost any product system.
    As the opportunities for attackers proliferate, the 
potential consequences of their actions are becoming more 
severe. As more products, services, and industries become 
connected to the digital world, we must acknowledge that the 
threat is no longer just data and information--it is public 
health and safety.
    For the health care sector, these factors present a very 
real threat--and equally daunting challenge. As we witnessed 
with the recent WannaCry ransomware outbreak, portions of the 
National Health System in the U.K. had to turn away patients 
except for emergency care after vulnerable systems fell victim 
to the exploit.
    WannaCry did not appear to be a targeted attack on health 
care, but the potential consequence of the exploit on health 
care--including patient safety--was far more severe. If this 
had been a more sophisticated exploit, or a targeted attack on 
the health care sector, the consequences could have been far 
worse.
    The health care sector is starting to grasp this new 
reality but, as noted in the recent task force report, which we 
will discuss today, health care cybersecurity is in ``critical 
condition'' and requires ``immediate and aggressive 
attention.''
    Which brings us to today's hearing. Clearly, the sector 
needs leadership. HHS is uniquely situated to fill this void. 
Historically, the Department has struggled to effectively 
embrace this responsibility, but that trend cannot continue.
    More recently, HHS has started to demonstrate a commitment 
and focus to addressing the rampant challenges in health care 
cybersecurity. For example, the Department's actions in 
response to the WannaCry ransomware--coordinated through the 
newly established HCCIC--have generally received praise from 
the sector.
    This and other recent actions are positive signs that the 
Department is heading in the right direction. But HHS has a 
long way to go to demonstrate the leadership necessary to 
inspire change across the sector. It needs to be open and 
transparent about who is in charge and provide clarity about 
the roles and responsibilities, not only internally but across 
the sector. They need to make sure that a small rural hospital 
not only knows exactly who to call, but also has access to the 
resources and information to keep their patients safe.
    This hearing provides an opportunity for HHS to provide 
some much needed clarity about its internal structure, as well 
as outline its plan to elevate cybersecurity across the sector.
    The sector is operating on borrowed time. The cyber threat 
is spreading and, left unchecked, it will pose an increasingly 
greater threat to public health.

    Mr. Walden. With that, I would yield time to the chairman 
of the Health Subcommittee, Dr. Burgess.
    Mr. Burgess. Thank you, Mr. Chairman. I appreciate you 
yielding. Chairman Murphy, thank you for holding the hearing. 
It's a timely topic and, of course, it has real physical 
consequences.
    I am glad to see the recently published Health Care 
Industry Cybersecurity Task Force Report, which we have now had 
available. It's produced by the Health Care Industry 
Cybersecurity Task Force and it's a step in the right direction 
in improving our ability to prevent and respond to 
cybersecurity events. It identifies the challenges posed by the 
health care and public health sector in maintaining security 
across unique platforms and devices that must work in concert 
to enable accurate and timely deliverance of patient care.
    It's even more important when we are considering that 
health care information or health information isn't something 
that can be easily changed like a credit card number or a phone 
number. The health information that is there is there for life 
and the integrity of the data is paramount to protecting 
patient safety. I can only imagine the consequences of changing 
a person's blood type, their allergy list or their disease 
diagnosis in a system that is relying upon that information to 
treat patients.
    Overall, the health care and public health sector has 
improved its ability to manage cybersecurity events including 
the HHS' management of the WannaCry malware. But the balance 
between security important data and protecting patient privacy 
needs continuous evaluation and adjustment. It is indeed a 
delicate balancing act.
    Is there a point where information sharing creates more 
vulnerability in identifying entities as targets of attack? 
What happens when a health care organization limits the 
reporting of breaches of a sharing of information for fear of 
losing customer confidence or becoming a target. How do we 
increase the availability of cybersecurity professionals in the 
health sector?
    So I thank our witnesses for being here. I look forward to 
these discussions and it should be an eventful morning.
    I yield back, Mr. Chairman.
    [The prepared statement of Mr. Burgess follows:]

             Prepared statement of Hon. Michael C. Burgess

    Good morning. Cybersecurity in the health care sector is a 
timely topic that has real, physical consequences. In almost 
three decades as a practicing physician, ransomware was never 
an issue I faced. Now, the threats posed by malicious actors 
are almost universal across the sector due to legacy systems, 
poor cyber hygiene, and a severe shortage of qualified 
cybersecurity professionals.
    Most cyber attacks have the potential to cause real harm, 
depending on the severity and target. However, in health care 
cybersecurity, it is a certainty. Anytime information in the 
health care and public health sector is compromised, it poses a 
risk to providers, patients, and all those who serve and supply 
them.
    The recent WannaCry ransomware infected thousands of 
computers across the world and severely impacted the health 
care sector in the United Kingdom. While the U.S. health sector 
was largely spared from this paralyzing malware, some 
organizations continue to deal with the effects of trying to 
eradicate this virus from their systems. The ease with which 
WannaCry was able to infect so many systems is alarming--and it 
was entirely preventable. While this particular malware only 
sought to lock information until a ransom was paid, the 
threshold remains low for more malicious actors to access 
critical health systems. We must work to acquire the cyber 
expertise, resources, and structure to combat such 
vulnerabilities.
    The report produced by the Health Care Industry 
Cybersecurity task force is a step in the right direction in 
improving our ability to prevent and respond to cybersecurity 
events. The report also identifies the challenges posed by the 
health care and public health sector in maintaining security 
across unique platforms and devices that must all work in 
concert to enable accurate and timely patient care.
    This is even more important when considering that health 
information isn't something you can easily change, such as a 
credit card or phone number. Your health information is your 
information for life, and the integrity of this data is 
paramount to protecting patient safety. Can you imagine the 
consequences of altering a person's blood type, allergies, or 
disease diagnosis in a system relied up on by providers to 
treat patients?
    Overall, the health care and public health sector has 
improved its ability to manage cybersecurity events, including 
HHS' management of the WannaCry malware that resulted in 
minimal effect on U.S. health organizations. But the balance 
between securing important data and protecting patient privacy 
needs continuous evaluation and adjustment. Is there a point 
where information sharing creates more vulnerability by 
identifying entities as targets of attack? What happens when 
health care organizations limit reporting of breaches or the 
sharing of information for fear of losing customer confidence 
or becoming a target? How do we increase the availability of 
cybersecurity professionals in the health sector? I look 
forward to discussing these and other issues with the witnesses 
today. Thank you.

    Mr. Murphy. Thank you.
    I now recognize Mr. Pallone for an opening statement of 5 
minutes.

OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Mr. Chairman.
    This committee has a long history of examining 
cybersecurity. The federal government continues to make 
progress towards addressing vulnerabilities in the health care 
sector. But it's clear that we still have a lot of work to do.
    For example, the 2015 Anthem attack highlighted the need 
for all industry members to come together and find solutions to 
cyberthreats. More recently, the WannaCry ransomware attack 
demonstrated that cyberattacks are real-world consequences that 
can place patients at risk. And now with the interconnection of 
health records and a network of connected medical devices, the 
threat of cyberattacks on critical parts of our health care 
infrastructure is ever present.
    While there is no single solution, it appears the 
Department of Health and Human Services is making some traction 
in assisting its own agencies and private stakeholders in 
confronting cyberthreats. We must make sure that HHS has the 
resources it needs to develop and implement a robust 
cybersecurity strategy, something I hope we can explore today.
    Just this past week, an HHS task force released a long-
awaited report that describes challenges and makes 
recommendations to address cyberthreats facing the health care 
sector. The task force determined that the health care sector 
must pay immediate and aggressive attention to cybersecurity. 
It also made a host of important recommendations to the health 
care industry and HHS to consider.
    There are no easy solutions for the issues highlighted in 
this report. I look forward to hearing how the administration 
intends to address them and, importantly, how this committee 
intends to hold HHS accountable for progress or lack of 
progress on this issue. I am also interested in learning about 
how HHS plans to develop its newly proposed Health 
Cybersecurity and Communication Integration Center and what 
challenges it faces in establishing and operating it.
    And finally, Mr. Chairman, I am interested in understanding 
whether HHS has the budgetary resource it needs to 
appropriately address its cybersecurity responsibilities. This 
includes efforts to prevent cyberattacks. It also includes the 
HHS' responsibilities to hold regulated entities accountable, 
especially when those entities fail to protect the sensitive 
health care information that we trust them to safeguard.
    And in conclusion, Mr. Chairman, we need to up our game if 
we intend to defend against a growing number of cyberattacks 
facing the health care sector.
    I am pleased to welcome our witnesses from HHS and I look 
forward to hearing from them about how HHS can enhance our 
health care cybersecurity. But that being said, I believe we 
still have a long way to go to improve our preparedness in this 
area and I look forward to hearing how this committee intends 
to hold HHS accountable moving forward.
    And I yield back. Thank you, Mr. Chairman.
    [The prepared statement of Mr. Pallone follows:]

             Prepared statement of Hon. Frank Pallone, Jr.

    Mr. Chairman, thank you for holding this hearing today.
    This Committee has a long history of examining 
cybersecurity. The federal government continues to make 
progress toward addressing vulnerabilities in the health care 
sector, but it is clear that we still have a lot of work to do.
    For example, the 2015 Anthem attack highlighted the need 
for all industry members to come together and find solutions to 
cyber threats. More recently, the ``WannaCry'' ransomware 
attack demonstrated that cyberattacks have real world 
consequences that can place patients at risk.
    And now, with the interconnection of health records--and a 
network of connected medical devices--the threat of 
cyberattacks on critical parts of our health care 
infrastructure is ever-present.
    While there is no single solution, it appears the 
Department of Health and Human Services (HHS) is making some 
traction in assisting its own agencies and private stakeholders 
in confronting cyber threats. We must make sure that HHS has 
the resources it needs to develop and implement a robust 
cybersecurity strategy-something I hope we can explore today.
    Just this past week, an HHS task force released a long-
awaited report that describes challenges and makes 
recommendations to address cyber threats facing the health care 
sector.
    The task force determined that the health care sector must 
pay ``immediate and aggressive attention'' to cybersecurity. It 
also made a host of important recommendations for the health 
care industry and HHS to consider.
    There are no easy solutions for the issues highlighted in 
the report. I look forward to hearing how the administration 
intends to address them--and, importantly, how this Committee 
intends to hold HHS accountable for progress, or lack of 
progress, on this issue.
    I am also interested in learning about how HHS plans to 
develop its newly proposed Health Cybersecurity and 
Communications Integration Center, and what challenges it faces 
in establishing and operating it.
    Finally, Mr. Chairman, I am interested in understanding 
whether HHS has the budgetary resources it needs to 
appropriately address its cybersecurity responsibilities. This 
includes efforts to prevent cyberattacks. It also includes the 
HHS's responsibilities to hold regulated entities accountable, 
especially when those entities fail to protect the sensitive 
health care information that we trust them to safeguard.
    In conclusion, Mr. Chairman, we need to up our game if we 
intend to defend against a growing number of cyberattacks 
facing the health care sector.
    I am pleased to welcome our witnesses from HHS, and I look 
forward to hearing from them about how HHS can enhance our 
health cybersecurity. But that being said, I believe we still 
have a long way to go to improve our preparedness in this area, 
and I look forward to hearing how this Committee intends to 
hold HHS accountable moving forward.
    Thank you and I yield back.

    Mr. Murphy. Thank you.
    And so now I ask unanimous consent that the members' 
written opening statements be introduced into the record and 
without objection the documents will be entered into the 
record.
    Now I'd like to introduce our panel of esteemed federal 
witnesses for today's hearing. Mr. Steve Curren, director of 
the Division of Resilience Office of the Emergency Management 
Office of the assistant secretary for preparedness in response. 
Welcome here.
    Mr. Leo Scanlon, deputy chief information security officer 
and designee for cybersecurity for HHS under the Cybersecurity 
Act of 2015, welcome. And Mr. Emery Csulak--did I say that 
right? OK. Chief Information Security Officer and Senior 
Privacy Official, Centers for Medicare and Medicaid Services 
and Co-chair of the Health Care Industry Cybersecurity Task 
Force.
    Thank you all for being here today and providing testimony. 
We look forward to a very productive discussion on this.
    Now, I understand, Mr. Curren, you'll be the one presenting 
the initial testimony? But since you all may be asked to 
comment we will ask you all to be sworn in.
    You're all aware that since this committee is holding an 
investigative hearing when so doing it has the practice of 
taking testimony under oath. Do any of you have objections to 
taking testimony under oath? Seeing none, the chair then 
advises you that under the rules of the House and rules of the 
committee you are entitled to be advised by counsel. Do any of 
you desire to be advised by counsel during testimony today? And 
seeing none there, too. In that case, will you all please rise 
and raise your right hand. I'll swear you in.
    [Witnesses sworn.]
    Thank you very much. Seeing that all have answered in the 
affirmative you're now under oath and subject to the penalties 
set forth in Title 18 Section 1001 of the United States Code.
    So members are aware, I mentioned that the department has 
submitted one written testimony on behalf of all three 
witnesses. Each plays a distinct cybersecurity role within the 
department.
    They will give a brief opening statement describing their 
roles and responsibilities. Mr. Curren will begin before 
turning to his colleagues. Each witness' opening statement is 
reflected in the department's written testimony.
    Mr. Curren, you are recognized for an opening statement.

 STATEMENTS OF STEVE CURREN, DIRECTOR, DIVISION OF RESILIENCE, 
    OFFICE OF EMERGENCY MANAGEMENT, OFFICE OF THE ASSISTANT 
  SECRETARY FOR PREPAREDNESS AND RESPONSE, U.S. DEPARTMENT OF 
     HEALTH AND HUMAN SERVICES; LEO SCANLON, DEPUTY CHIEF 
  INFORMATION SECURITY OFFICER, U.S. DEPARTMENT OF HEALTH AND 
   HUMAN SERVICES; EMERY CSULAK, CHIEF INFORMATION SECURITY 
 OFFICER AND SENIOR PRIVACY OFFICIAL, CENTERS FOR MEDICARE AND 
MEDICAID SERVICES, CO-CHAIR, HEALTH CARE INDUSTRY CYBERSECURITY 
                           TASK FORCE

                   STATEMENT OF STEVE CURREN

    Mr. Curren. Good morning, Chairman Murphy, Ranking Member 
DeGette and distinguished members of the House Energy and 
Commerce Subcommittee on Oversight and Investigations.
    I am Steve Curren, director of the Division of Resilience 
within the Office of Emergency Management in the Office of the 
Assistant Secretary for Preparedness and Response, or ASPR. 
Today I will be discussing ASPR's functions and cybersecurity 
mission within the Department of Health and Human Services.
    ASPR was authorized by the 2006 Pandemic and All-Hazards 
Preparedness Act and works within HHS with federal, state, 
tribal, territorial and local partners to protect the public 
from the health and medical impacts of emergencies and 
disasters. ASPR's responsibilities are broad and include 
overseeing advanced research development and procurement of 
medical countermeasures leading federal public health and 
medical response efforts under the national response framework. 
Serving as the federal lead agency for the health care and 
public health sector under the National Infrastructure 
Protection Plan and providing integrated policy and strategic 
direction under the national health security strategy.
    ASPR's Office of Emergency Management is responsible for 
many of ASPR's core preparedness, response and disaster 
recovery capabilities. OEM provides communities with the 
resources necessary to support disaster planning efforts and 
ensures that the health care system can respond to a wide 
variety of emergencies. Within OEM, I am responsible for ASPR's 
continuity of operations program which works to ensure the 
resilience of HHS' systems and programs in the faces of 
emergencies and disruptions. I am also responsible for the 
critical infrastructure protection program which focuses on the 
security and resilience of private sector health care partners.
    ASPR works with all levels of government and the private 
sector to mitigate risk from all hazards including physical and 
cyberthreats. Over the past 5 years, few infrastructure issues 
have challenged the health sector more than the proliferation 
of cyberattacks. Within our modern system of health care, 
nearly everything is connected through a system of systems 
including dialysis machines and electronic health records. 
Cyber is both a direct and a secondary threat. It could impact 
everyday patients in health care delivery by locking down 
access to important medical information and lifesaving 
equipment. It can also exacerbate an existing emergency where 
hospitals and emergency first responders are already working a 
frantic pace to save lives. It cannot afford to lose access to 
communications or risk further delays in their response.
    Since 2014, the sector has been hit with a wave of large 
health care information breaches, compromising the personal 
information of hundreds of millions of individuals. In 2016, we 
started to see the rise of health care ransomware attacks. In 
these attacks, computer malware is used to lock up the files of 
health care organizations while criminals demand payment in 
exchange for restored access. These attacks shifted the threat 
landscape considerably as they no longer threaten just personal 
information but the ability of health care organizations and 
thus communities to provide patient care.
    When the massive WannaCry ransomware attack hit dozens of 
hospitals in the United Kingdom just a few weeks ago, ASPR took 
immediate action to engage broader U.S. health sector and 
ensure that IT security specialists had the necessary 
information to protect against, respond to and report 
intrusions. This effort included calls with up to 3,100 
participants each, daily messages with answers for frequently 
asked questions, resources from other federal departments and 
agencies and guidance on how to report attacks.
    Beyond specific threats, ASPR and our partners have decided 
to organize a joint public and private sector working group for 
cybersecurity to implement national policies such as the 
National Institute for Standards in Technology in the 
cybersecurity framework and the National Cyber Incident 
Response Plan. We have also benefited from the Cybersecurity 
Act of 2015 which provided the sector with a structure to drive 
its continued engagement in cybersecurity.
    ASPR led HHS' efforts to establish and support the Health 
Care Industry Cybersecurity Task Force, which has completed its 
term and recently delivered its report to Congress.
    In closing, HHS' cybersecurity mission is a national 
response requiring broad collaboration. The department is 
committed to safe, secure, and resilient cyber environment that 
promotes cybersecurity knowledge, innovation, confidentiality, 
and privacy in collaboration with government, private sector, 
and international partners.
    While the cyber realm is ever evolving and presenting new 
challenges, please be assured that HHS and our partners are 
moving in the right direction.
    Mr. Murphy. All right. Thank you very much.
    I will now recognize myself for some opening questions for 
5 minutes. Oh, we are going to hear from the other ones? All 
right. I am sorry. I didn't realize how much this was going to 
go.
    Mr. Scanlon.
    [The prepared statement of Messrs. Curren, Scanlon, and 
Csulak follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                    STATEMENT OF LEO SCANLON

    Mr. Scanlon. Thank you.
    Good morning, Chairman Murphy, Ranking Member DeGette, and 
members of the subcommittee. I am Leo Scanlon, Deputy Chief 
Information Security Officer and the designated Senior Advisor 
for Health Care, Public Health Sector Cybersecurity at the 
Department of Health and Human Services.
    I am also the designated Senior Advisor of Public Health. I 
already said that. I will be discussing the agency's response 
to CISA, in particular the designation of senior advisor and 
the establishment of the Health Care Cybersecurity 
Communications Integration Center--otherwise known as the 
HCCIC.
    Both of these actions will support enhanced public-private 
partnerships through regular engagement and outreach to the 
sector. These actions are consistent with Executive Order 13800 
and are a direct response to the Cybersecurity Act of 2015.
    These critically important steps will leverage HHS 
capabilities and outreach to help the HPH sector improve its 
preparedness for and response to security incidents now and 
into the future.
    The senior advisor of cybersecurity will align and 
coordinate the internal stakeholders to collaborate with the 
private sector, the U.S. Department of Commerce's National 
Institute of Standards and Technology, NIST, and the U.S. 
Department of Homeland Security, DHS, to develop voluntary 
guidelines to support adoption of the NIST cybersecurity 
framework and to support the HPH sector risk reduction and 
resilience.
    DSA is the chair of the HHS Cybersecurity Working Group, 
which is the principal forum for coordinating cybersecurity 
support and response across all HHS operating divisions and 
staff divisions. DSA and the CSWG are tasked with the job of 
establishing a one-stop point of access to HHS cybersecurity 
capabilities--a cyber 311 that will allow access to HHS for the 
entire sector, especially the small and rural provider entities 
who rarely interact with the federal government and who need 
sector-specific mitigation strategies, guidance, and follow-on 
assistance in response to cyberattacks.
    The HCCIC is designed to be the central location for HPH 
information sharing and will allow HHS to extend internal 
threat sharing and analytic capability to our federal partners, 
law enforcement and intelligence partners, the National 
Cybersecurity and Communications Integration Center, the NCCIC, 
and our private sector partners at the NHISAC and other ISALs. 
The most important outputs of the HCCIC, though, are products 
and guidance that are human consumable by entities that do not 
have the sophisticated technology that supports machine speed 
reaction to threat indicators. Smaller entities need 
information that they can use no matter what their capabilities 
are. This includes basic cybersecurity guidance, how-to 
instructions as well as assistance in contacting specialists 
within HHS and assistance in accessing federal capabilities 
such as those that are available through the DHS and the NCCIC.
    In the recent WannaCry mobilization, HCCIC analysts 
provided early warning of the potential impact of the attack 
and HHS responded by putting the secretary's operation center, 
the SOC, on alert. This was the first time that a cyberattack 
was the focus of such a mobilization and HCCIC was able to 
support ASPR's interactions with the sector by providing real-
time cyber situation awareness, best practices guidance and 
coordination with US-CERT and the IRT teams at the NCCIC.
    Sector calls generated by ASPR reached thousands of health 
care organizations and providers. One call had more than 3,000 
lines open and continued for more than two hours of questions 
and discussion. The experiences provided a rich set of lessons 
learned and has highlighted the disturbing reality that the 
true state of cybersecurity risk in the sector is under 
reported by orders of magnitude and the vast majority of the 
HPH sector is in dire need of cybersecurity assistance.
    The SA, the HCCIC, and the CSWG have the long-term task of 
assisting the sector to shift from a compliance-oriented 
security posture to a dynamic risk management approach. This 
means different things at different levels of the sector, but 
one thing is clear. The regulatory mechanisms that served to 
call attention to the need to protect PHI and PII are 
fundamentally challenged by the technical capabilities of 
threat actors who operate at scale and machine speed and who 
have brought the specter of life-threatening impact from a 
cyberattack into the operating rooms and ambulances of our 
providers and first responders.
    HHS is prepared to play a leading role in addressing that 
challenge.

                   STATEMENT OF EMERY CSULAK

    Mr. Csulak. Thank you.
    Chairman Murphy, Ranking Member DeGette and members of the 
subcommittee, thank you for the opportunity to discuss the work 
of the department's Health Care Industry Cybersecurity Task 
Force.
    In addition to my role as the chief information security 
officer and senior official for privacy at the Centers for 
Medicare and Medicaid Services, for the last year I served as 
the government co-chair of the task force.
    The Cybersecurity Act of 2015 required the Department of 
Health and Human Services to convene top subject matter experts 
from across industry and government to address the growing 
challenges of cybersecurity attacks targeting health care.
    The task force spent a year receiving and reviewing input 
from experts from inside and outside the health care industry 
and the general public in order to develop recommendations and 
action items for a congressional report that was released 
earlier this month. I want to thank the 21 task force members, 
including 17 from private sector organizations, whose 
contributions made this report possible based on their passion 
to improve the sector.
    The task force worked diligently to balance the industry 
and government perspectives. The task force discussions 
resulted in the development of six imperatives along with 
cascading recommendations and action items. All of these 
reflect the need for a unified effort among public and private 
sector organizations of all sizes and across all subsectors to 
work together to meet an urgent challenge. They also reflect 
shared understanding that for the health care industry 
cybersecurity issues are, at the heart, patient safety issues.
    I want to take this opportunity to provide a brief overview 
of some of the report's most important recommendations. These 
are the steps that can be taken within the industry as well as 
by the federal government, including recommendations for HHS to 
consider in addressing the cybersecurity challenges facing the 
sector. A few key themes emerged from these recommendations.
    First, the task force identified the need for cybersecurity 
leadership. The report outlines the importance of leadership to 
drive organizational change and ensure adequate visibility 
across organizations. For HHS cybersecurity leadership focuses 
on aligning programs to ensure a consistent message and 
standards across HHS with engagement of industry.
    The task force also addresses the need to reduce burden for 
small and rural providers who may have additional challenges in 
meeting HHS regulations. For industry, leadership focuses on 
communication with executives, driving change, and taking a 
comprehensive look at the threats facing an organization. 
Industry needs cybersecurity governance models that work for 
organizations of all sizes and provider types.
    Second, the task force report highlights the importance of 
protecting medical devices and other health IT. Medical devices 
and electronic health records expand the attack service which 
can directly impact patient safety. Some issues raised in the 
report include taking a total life cycle approach to 
recommending a mix of regulation, accreditation, information 
sharing, and voluntary development and adoption of standards to 
promote system security from product design and development 
through product end of life.
    Third, the task force found that HHS needs to make the 
discussion, oversight, and engagement around cybersecurity 
clearly and consistently messaged. This includes completing 
work on a voluntary cybersecurity framework established in the 
Cybersecurity Act of 2015 and harmonizing regulations and 
guidance as part of HHS' sector engagement. By speaking the 
same language, barriers to education and improvement of the 
sector will be lowered. It is clear to members of the task 
force that we must consider the unique needs of small and rural 
organizations as well as new entrants and innovators. These 
organizations can have different and sometimes more acute needs 
than large organizations who have already invested in 
cybersecurity and infrastructure. Harmonizing regulations can 
help to reduce burden on these organizations in particular and 
thus increase patient safety.
    Finally, the task force calls for continuing to strengthen 
public-private partnerships. In particular, the task force 
calls for the establishment of an ongoing public-private forum 
similar to the task force to further the discussions of health 
care industry cybersecurity as the industry evolves.
    Task force members found this engagement with federal 
partners beneficial to understand our common cybersecurity 
challenges and concerns.
    These efforts will also enable an ongoing conversation and 
develop strategies to identify resources and incentives that 
would help to overcome the barriers faced by small and rural 
organizations.
    While much of what we recommend will require hard work, 
difficult decisions, and commitment of resources, we will be 
encouraged and unified by our shared values as health care 
industry professionals in our commitment to providing safe 
high-quality care.
    Thank you for the opportunity to share the task force work 
and I am happy to answer any of your questions.
    Mr. Murphy. I thank all of our panel for your statements.
    I want to read the opening sentence here from the Health 
Care Industry Cybersecurity Task Force, where it says the 
health care system cannot deliver effective and safe care 
without deeper digital connectivity.
    If the health care system is connected but insecure, this 
connectivity could betray patient safety, subjecting them to 
unnecessary risk and forcing them to pay unaffordable personal 
costs.
    To that end, Mr. Curren, want to highlight why this is 
important? In your opinion, what is at stake when health care 
information is compromised by a cyber threat? How bad does this 
get?
    Mr. Curren. Thank you very much for the question.
    It is an issue that's very important to us and that we take 
very seriously because the risk of attacks to the health care 
infrastructure from cyberattacks really is confidence in the 
health care system in general and we think that patients should 
have confidence in the system to provide care, also to provide 
protection to their information.
    You asked about the need to balance two very important 
concerns. One concern is the use of electronic medical records 
and other health technologies to advance care, to link 
information, to provide medical devices that provide excellent 
care to individuals as well as provide the security to keep 
those systems and those devices safe and that is the commitment 
I think that the task force made as we were involved in their 
discussions was to advance those issues together because really 
we can't do one without the other. We need to rely on these 
technologies. We also need to focus on keeping them safe.
    Mr. Murphy. But along these lines--in terms of what could 
happen here, whether it is like what happened in the United 
Kingdom--blocking a system from working entirely so voluntary 
surgery and others and emergency care was all diverted. But it 
could also affect things like information about what is in a 
medical records, medications a person may take and it could 
also interfere with the functions of a wide range of medical 
devices. Am I clear on that?
    Mr. Curren. There's always potential for patient safety 
issues related to cybersecurity incidents and we like to put 
that into context.
    We don't think the patient should overweigh the concern of 
cybersecurity risk when they go seek care. We do believe the 
benefits of care, the benefits of these devices and these 
systems greatly outweigh the risks that are there.
    However, we do need to take the risks seriously. What I can 
say is that HHS--we are set up to respond to both the cyber 
impacts of these attacks as well as the potential physical 
impacts, impacts on health care. Through our program ASPR, just 
to give the WannaCry example as one example, we worked very 
closely with Leo's organization and the HCCIC. They were active 
in getting the latest information on the threat, analyzing it, 
understanding what the issues were and communicating that to 
our partners in the health care sector.
    Meanwhile, we were working out of the secretary's operation 
center and prepared for any type of health care impact that 
there might have been to provide resources that ASPR has to 
assist in those responses.
    Mr. Murphy. And I appreciate it. I will get to that in a 
minute and you did play a vital role here. But I'm concerned 
about that information about the various roles and capability 
of HHS.
    Has it been adequately conveyed to industry yet? And this 
has got to be a public-private partnership. So we are aware you 
created the HCCIC and to serve as the nexus for cybersecurity 
efforts.
    But to date there has been little public information about 
this new center to start. So why did HHS decide to establish 
the HCCIC? Did someone recommend this and is there a reason for 
this recommendation?
    Mr. Curren. Let me start out, then I will hand it to my 
colleague, Leo Scanlon. We have had a partnership with the 
private sector for many years in critical infrastructure 
protection since Homeland Security Presidential Directive 7 in 
2003 started these infrastructure partnerships across 16 
critical infrastructure sectors.
    What has changed in the past several years is the 
importance of the cyberthreat and HHS is evolving to meet that 
threat.
    So we work very closely with our partners both internal to 
HHS as well as externally. So, Leo, maybe expand on the HCCIC.
    Mr. Scanlon. Yes, sir.
    The impulse to establish the HCCIC, continuing on what 
Steve just pointed out, is really based on the evolution of the 
way defense against these threats is carried out.
    We've learned over the past few years that the machine 
generated information that we now have from our log files and 
our firewalls and other defensive devices is an enormous 
firehose of information and ultimately has to be analyzed by 
analysts who are specialists who can interpret, understand and 
put context to this information and that's best carried out in 
a collective environment where people sit together and can 
communicate in real time and be in touch with their external 
organizations and other partners and this is what the NCCIC 
floor, for example, is all about.
    That's what it does at a national level. It allows 
different sectors and organizations and intelligence 
organizations to be present, communicate and share information.
    The HCCIC is designed to do that both across the HHS 
operating divisions to knit together the very formidable 
capabilities that exist in each of our operation divisions of 
CMS, CDC, NIH and put them together in real time and then 
provide real-time links to our partners externally and that's 
the fundamental purpose of it.
    Mr. Murphy. Who recommended this?
    Mr. Scanlon. It was our internal decision to take the 
existing capabilities that we have that were set up in a 
disparate fashion, unite them in a common place and take this 
model of threat sharing which has now become an industry 
standard and apply it to the challenge that we face.
    So it was an immediate response in that sense to the CISA 
Act requirement that we develop the capacity to share threats 
in real time with the sector.
    So that's the capability that the HCCIC provided and that 
was the form that we determined was the most efficient and 
effective way to do that.
    Mr. Murphy. OK. Thank you.
    Ms. DeGette, 5 minutes.
    Ms. DeGette. Thank you.
    As I mentioned in my opening statement, the WannaCry 
cyberattack was really a wake-up call. So I want to talk for a 
minute about what we are doing to prevent and to respond to 
these types of attacks in the health care sector.
    As we heard, HHS is launching the HCCIC, or the Cyber 
Center, and in your testimony you said that HCCIC was an 
integral part of ASPR's coordinated response to the WannaCry 
incident.
    So I just wanted to ask you, Mr. Curren, as you stated and 
also I noted in my opening the Cyber Center was established to 
address gaps in cybersecurity and also to help prevent attacks 
like this WannaCry attack. Is that right?
    Mr. Curren. And this would be the HCCIC.
    Ms. DeGette. Yes.
    Mr. Curren. Yes, and Leo could talk more to that. Within 
ASPR we coordinate for the WannaCry incident response. Whether 
it's a hurricane, tornado, or cyber event, we coordinate for 
the department. But the HCCIC was one capability within that 
for this cyberattack to coordinate the sharing of cyber 
information and response.
    Ms. DeGette. So how do you think this will happen? How do 
you think the Cyber Center can be effective in protecting HHS' 
health networks and systems? Go ahead, Mr. Scanlon.
    Mr. Scanlon. Thank you. Yes. So the value of the HCCIC is 
evidenced in the way we were able to work in the WannaCry 
incident.
    There's a broad and very deep communications capability 
that ASPR has to the sector. We were able to get another 
component of information gathered through cybersecurity 
specialists to provide situational awareness, which is the most 
important thing in a dynamic event.
    Facts are very hard to grab when an attack like this is 
going on. Attribution, who is doing it, what their intentions 
are and exactly what's going to happen next all disappears on a 
fog of activity.
    We were attempting at all times to bring the best knowledge 
that was available across the sector from US-CERT, from the 
NCCIC, from our sector partners and communicate that out.
    That's a capability that did not exist in a formalized way 
until we created the HCCIC and the intention of the HCCIC was 
to support the ASPR capability. They have all-hazards response. 
So this is a cybersecurity function that we wanted to bring 
into the all-hazards response capability.
    Ms. DeGette. Yes. Now, can you talk about FDA's information 
technology systems? Is that something you can talk about?
    Mr. Scanlon. I can tell you about what we did to 
communicate FDA's and the most important concerns that were 
raised in the----
    Ms. DeGette. OK. Yes. Well, there was this GAO report last 
August that said there were major weaknesses in the FDA's 
information technology.
    So what I was wondering is, number one, why were the FDA's 
IT systems allowed to be so plagued with the security issues 
and, number two, what's the agency doing about it?
    Mr. Scanlon. I think that it would be more appropriate for 
us to take that back and get back to you with specific. None of 
us are from the FDA.
    Ms. DeGette. Right.
    Mr. Scanlon. So it would be not very----
    Ms. DeGette. OK. So you don't know the answers to that?
    Mr. Scanlon. I couldn't give you an authoritative answer.
    Ms. DeGette. So from the HSS perspective though, you didn't 
have very good visibility into what was happening over there. 
Is that right? At the FDA.
    Mr. Scanlon. You're referring to the GAO audit and the 
findings of the audit?
    Ms. DeGette. Right. Yes.
    Mr. Scanlon. This is not in any of our purview, honestly.
    Ms. DeGette. OK. If you can get back to me that would be 
good because----
    Mr. Scanlon. We would be very happy to do that.
    Ms. DeGette [continuing]. What we really worry about is 
that cybersecurity attacks they're going to come throughout all 
the government. They're not just going to focus on one agency. 
And so that's why we have to really----
    Mr. Scanlon. Well, ma'am, I could say to you though that 
one of the functions of the HCCIC has been to enhance the 
existing capabilities across our operating divisions, which are 
formidable and have been very effective in many, many ways.
    And so this is where the agency is taking steps constantly 
to evaluate, assess and improve our cybersecurity capabilities 
in all of our operating divisions.
    Ms. DeGette. OK. Do you think there's more we could be 
doing?
    Mr. Scanlon. There's always more we could be doing.
    Ms. DeGette. And what do you need from us to do more?
    Mr. Scanlon. I don't have to say we are always looking for 
funds to help us support these activities.
    Ms. DeGette. So if you want funds to support the activities 
what would be helpful to us is to know what those activities 
you need additional funding for.
    Mr. Scanlon. We could certainly get back to you with 
specifics.
    Ms. DeGette. Great. OK. Thank, Mr. Chairman. I yield back.
    Mr. Murphy. Thank you.
    I now recognize the vice chair of the committee, Mr. 
Griffith, for five minutes.
    Mr. Griffith. Thank you very much, Mr. Chairman. Thank you 
all for being here this morning. I am curious, as Congresswoman 
DeGette was talking about the FDA and she's right. They're not 
going to just try one door. They're going to try all the doors. 
So I would hope that they would be included.
    Maybe you all can help me out. I'm listening to all these 
initials being thrown around and this is not an area I'm 
comfortable with. HCCIC versus Health Care in Industry 
Cybersecurity Task Force that was called upon to be set up as a 
part of the Cybersecurity Act. What are the differences in 
those two?
    Mr. Scanlon. Yes. So the HCCIC is simply an easy way to say 
the large mouthful. The HCCIC is an organization within HHS and 
it is responding to, as I mentioned, in specific the 
recommendations in the Cybersecurity Information Sharing Act, 
which requested the agency or required the agency to establish 
the ability to do real timesharing of threat indicators with 
the sector. So that is what the HCCIC does with respect to the 
CISA Act.
    Mr. Griffith. All right. Any of you all can answer this who 
feels comfortable with it--but the Health Care Industry 
Cybersecurity Task Force that was supposed to be set up, what 
is that doing and how often do they meet?
    Mr. Csulak. OK. The Health Care Industry Cybersecurity Task 
Force, again, was established as part of the Cybersecurity Act 
of 2015. It had a very segmented period of time. It was 
literally by the legislation to only last 12 months. So we 
completed our work earlier this year and during that time we 
met at least monthly with both industry as well as the 
government to inform and advise the 21 members of the task 
force in the creation of this report of really looking and 
analysing the challenges facing health care sector in----
    Mr. Griffith. And we appreciate that the report came out. 
So you're telling me that you met at least 12 times during the 
year, maybe some more?
    Mr. Csulak. A lot more than 12 but the minimum was 12.
    Mr. Griffith. Could you get us a number on how many times 
you met?
    Mr. Csulak. It is actually in the appendices of the report.
    Mr. Griffith. Excellent.
    Mr. Csulak. You will see every single meeting that we had 
and who attended it.
    Mr. Griffith. All right. I appreciate that.
    And can you tell me how the representatives were selected 
to be on the task force from both the health care sector and 
from the federal government?
    Mr. Csulak. We did an open call of interested individuals 
for that. I believe Mr. Curren actually arranged the scheduling 
of all of that but we had over a hundred candidates who were 
self-nominated or nominated by their organizations.
    We formed a joint working group with NIST, DoD, DHS and HHS 
to look at the candidates and find candidates who represented 
cyber security practitioners in the field.
    Each of those four agencies I just mentioned nominated one 
person to represent the agency and then those representatives 
along with members on the task force identified 17 of the over 
100 candidates who were interested in the positions who had 
clear cybersecurity roles as part of their duties, were not 
just executives but were actual practitioners and would 
represent various parts of the industry.
    If you look at the legislation we needed to represent 
certain fields, we wanted to look at medical devices. We wanted 
to look at providers. There was a range of capabilities that we 
wanted to deal with so that's how they were done. We narrowed 
those down. We made sure that all of those members could be 
committed for a year and that's how it started.
    Mr. Griffith. Well, I appreciate that. Now, they came out 
with a number of recommendations and six imperatives and 
curious what action is now being taken to see that those six 
imperatives are addressed. Fortunately, it's in the stuff that 
we have and the first one is define and streamline leadership, 
governance and expectations for the health care industry 
cybersecurity. What steps do we take now? We've got a report. 
What's next?
    Mr. Csulak. When we look at it, basically the department, 
HHS, has had representatives throughout the course of this 
activity supporting the program. So although I was the 
government co-chair for the activities, each of those 
organizations have leadership representatives. They have 
membership on the Cybersecurity Working Group established 
within HHS and everybody is basically looking at those. And the 
task force recognizes there's a lot there, more than we could 
ever possibly do in one year, and really each of the groups are 
now stepping back and saying, how do we prioritize these, where 
do we find the resources for these and that is kind of an 
ongoing conversation that's going through the Cybersecurity 
Working Group.
    Mr. Griffith. And as that conversation goes on, as Ms. 
DeGette said earlier, you all need to let us know what we need 
to do, whether it's legislation or otherwise, so that we can 
assist you in that because making sure that, as you heard from 
some of the other questions, making sure that our health 
records are secure and making sure that we don't have folks who 
block us from getting to those records or using them for ill 
purpose is extremely important to all of us.
    Thank you, and I yield back.
    Mr. Murphy. Thank you.
    I now recognize Ms. Castor for 5 minutes.
    Ms. Castor. Thank you, Mr. Chairman, and thank you to all 
of you for helping to keep Americans' health records safe and 
secure. It's clear the health care sector faces increasing 
threats from cyberattacks and I'm concerned about the 
implications for sensitive patient information. HHS has a large 
role to play in protecting those records. Mr. Csulak, the 
Centers for Medicare and Medicaid Services is responsible for 
the Medicare and Medicaid electronic health records and I 
understand CMS helps eligible entities adopt and use electronic 
health records. Is that right?
    Mr. Csulak. How do we help them do that? Again, we 
published some standards that we do when we are working with 
any organization. The level and engagement is interpreted to 
what's appropriate for the various programs.
    Ms. Castor. So entities that handle electronic health 
records must comply with federal privacy and security 
regulations. It's crucial that companies are held accountable 
when they fail to protect consumers' private health 
information. Do you share that view?
    Mr. Csulak. Absolutely.
    Ms. Castor. And when a cyberattack occurs and private 
health information is compromised, HHS has the power to 
investigate. Specifically, the HHS Office for Civil Rights is 
empowered to investigate how the breach happened and demand 
changes so that it doesn't happen again. Is that correct?
    Mr. Csulak. Correct, for privacy breaches under HIPAA.
    Ms. Castor. So do you know what is in the president's 
proposed budget for the HHS Office of Civil Rights?
    Mr. Csulak. I can't speak outside of CMS and the task 
force. I don't know if one of my other speakers could speak to 
that.
    Ms. Castor. Well, that's OK. I looked it up. The president 
is proposing a budget cut of more than $6 million to HHS' 
enforcement of civil rights and health privacy information. 
Would these proposed make it more difficult for HHS to take 
action against entities that fail to safeguard electronic 
health records?
    Mr. Csulak. I think it's a tough question. Let me answer it 
from the task force perspective. The task force perspective 
recognized that this is going to be an ongoing challenge and 
how do you actually have an oversight role that scales to the 
size of this industry with so many providers and health care 
small businesses out there. Can any one organization really 
scale up to be an oversight body for over a million providers 
in the United States?
    So the task force approach said look, regardless of the 
money and the resources of the Office of Civil Rights, as you 
mentioned, HHS probably needs to step back and look at other 
ideas.
    What are some of the other private partner--private-public 
partnerships that we can look at? Can we look at models like 
the SEC's stuff for audit account financing? How do we bring in 
other audit models? How do we look at other ways to do this 
without just relying on a large audit body within the 
organization.
    So the task force approach really looks at saying 
regardless of the money there how do we leverage the private 
industry to more effectively contribute to that knowledge base 
and to that body of work.
    Ms. Castor. But you'd have to say that when you take cops 
off the beat that's not helpful in holding companies 
accountable that have violated their responsibility for privacy 
records.
    I realize you're not with the HHS Office of Civil Rights 
but here is the budget justification about the proposed cuts 
and it says the budget reduction would require decreases in 
authorized regional investigators which would limit OCR's 
capacity to resolve complaints and perform other related agency 
functions such as investigations and compliance reviews.
    So isn't that the impression you get that cops would be 
taken off the beat here?
    Mr. Csulak. I really can't say, around the budget 
formulation for that activity. All I can say is that from the 
task force perspective there are options out there and we 
should be exploring those.
    Ms. Castor. Well, according to an article from the HIPAA 
journal it reports that, ``Those budget cuts could affect the 
agency's HIPAA enforcement activity.''
    So as we focus on the role of HHS and health care 
cybersecurity we must not forget the important role that HHS 
plays in enforcement privacy and security rules. I would hope 
that if the administration is serious about health care 
cybersecurity it would make sure that it has all the resources 
necessary for its cybersecurity responsibilities.
    Thank you very much. I yield back.
    Mr. Murphy. I'm curious. If you had that information from 
the HIPAA journal and you could share that with me I'd 
appreciate that. Thank you very much.
    Ms. Brooks, you are now recognized for 5 minutes.
    Ms. Brooks. Thank you, Mr. Chairman.
    Mr. Curren and Mr. Scanlon, I'm curious what lessons have 
been learned since the WannaCry attack. How are you taking the 
lessons learned and internalizing them within HHS, Mr. Curren, 
since the WannaCry attack?
    Mr. Curren. I can mention too and I'm sure we could talk 
about many that we learned in the WannaCry attack.
    We are an emergency response organization in ASPR. We learn 
lessons from every emergency we respond to and this is no 
different. We are actually going through an after action 
process, which we call it, to get information on what we can 
enhance for the next response.
    Two things we did that I think worked very well and we want 
to repeat. One is operating a cybersecurity response as an 
emergency response that marshalled the resources of the entire 
department, and the secretary's leadership in that was 
instrumental to working this issue out of the secretary's 
operation center sitting next to Leo and working calls with 
thousands of industry participants, getting information from 
other departments and agencies really was a helpful way to do 
it.
    I think the second is that the public-private partnerships 
are essential and we can't just stand them up during 
emergencies. We say in emergency management that disaster is 
not the time to exchange business cards and that's no different 
for a cyber incident. We were able to exchange information with 
partners who trusted us and we trusted them with the 
information. We don't want to have to wait to have the final 
polished version of every piece of information we want to share 
before we share it. It's uncomfortable.
    But in instances like this when time is of the essence, 
when systems needed to be patched we needed to get information 
out there immediately and having those trusted partnerships, 
being open, having a call on the first day with our partners 
really helped us to establish those relationships and get that 
information out there.
    Ms. Brooks. And before Mr. Scanlon answers, are there any 
rules or regulations or policies within HHS that are impeding 
those lessons learned?
    Mr. Curren, before we go on to Mr. Scanlon, are there any 
things that are impeding or obstacles to those lessons that 
you've learned?
    And with respect to public-private partnerships, that was 
the reason that in 2003 your office was created, if I recall--
--
    Mr. Curren. Yes.
    Ms. Brooks [continuing]. Was to create those public-private 
partnerships across all sectors between government and 
industry. And so it should just--it should just be how we 
operate, shouldn't it?
    Mr. Curren. That is correct, and that is something we've 
been doing for a long time. I think if anything has evolved in 
the past several years it's just the number of organizations 
involved in cybersecurity that we've continued to partner with 
and we've really grown that part of the partnership and that 
came into play with WannaCry.
    In terms of regulations or challenges that we are going to 
address, we are working through a number of issues that we 
think can help enhance the response and some of the matters we 
are looking at include protections for information and they 
come into the federal government. We know the private 
organizations don't always look to the federal government as 
the first place to share and they're concerned about legal 
liability with doing so. Even when we have protections in place 
it's essential that we are able to communicate those 
protections in real time so they can understand them, 
appreciate them, and be compelled to or feel free or feel open 
to share that information with us.
    So that's something that we need to do because it's a 
voluntary mechanism going to the federal government in most 
cases for this type of sharing. So the protections that were 
provided in the Cybersecurity Act I think take us a long way. I 
think we still have some work to do in terms of implementation 
and really communicating that to our partners.
    Ms. Brooks. Thank you.
    Mr. Scanlon.
    Mr. Scanlon. To your question as to policies that may 
impede, our experience in WannaCry was not so much that there 
were policies inside HHS that impede the communication in this 
emergency but it was misunderstanding of HHS policies as 
they're currently formulated widely through the sector that 
caused people to have a number of false ideas that we heard on 
the calls.
    For example, many medical device manufacturers and even 
users of those devices believe that FDA does not allow you to 
patch a device. This is absolute incorrect. FDA makes great 
efforts to demystify that problem. But it is widely believed 
through the sector. We found that there was a tremendous need 
to communicate and will be an ongoing need to communicate 
broadly and deeply what FDA's policies actually are.
    Similarly, with OCR, and to Representative Barton's 
questions, there are many beliefs or misunderstandings about 
what you can and cannot report. But the statutes--PCII, HIPAA 
and CISA--are very, very clear in their encouragement of 
reporting of cybersecurity information during an incident.
    And, again, we feel that there's a need for much better 
communication. We are undertaking an effort internally to look 
at how we are presenting these policies to put them into more 
plain language and to provide plain languages guidance that is 
agreed upon by us and other partners that we can get to the 
sector, that we can get to the incident response teams and 
really give them a framework in which they can communicate with 
us.
    Ms. Brooks. Thank you. My time is up. I yield back.
    Mr. Murphy. Thank you. I now recognize the gentleman from 
New York, Mr. Tonko, for 5 minutes.
    Mr. Tonko. Thank you, Mr. Chairman. Thank you and 
Representative DeGette for this hearing. I think the topic is 
extremely important.
    Cybersecurity is a serious and multifaceted issue that will 
require an investment of significant resources and you began to 
get into that with earlier questioning from Representative 
DeGette.
    And I understand that the president's budget includes some 
additional funding for cybersecurity efforts at HHS. Mr. 
Scanlon, how much of this new additional funding would be used 
to support the new Health Cybersecurity and Communications 
Integration Center?
    Mr. Scanlon. Well, sir, I don't know exactly the dollar 
figure of the new funding, we have built the HCCIC essentially 
out of hide. We have taken existing capabilities and 
investments that have been planned and executed and realigned 
and repurposed those things to achieve this capacity and then 
we've added in some of our additional technical spending.
    But we are anticipating budget increases and proposals to 
be put into a line item so that we can get a direct picture of 
what HCCIC needs and we would be looking forward to give you 
any more detail that we could about that.
    Mr. Tonko. OK. And also, Mr Scanlon, and I'm asking this 
question because we want to make certain that our house is in 
order and that HHS has sufficient resources for its own IT 
security internally. The Office of Management and Budget 
estimates that HHS is pending $13 billion on information 
technology. During fiscal year 2016, only about $373 million, 
as I'm informed, or 3 percent of the HHS IT budget, was devoted 
to IT security.
    So my question to you, Mr. Scanlon, is can you give us an 
updated figure as to how much of the HHS budget for IT is 
devoted to IT security for fiscal year 2016?
    Mr. Scanlon. So I think we could get back to you. The CIO 
is actively working the budget right now and we'd be glad to 
get back to you with a detailed picture of the planned and 
current spending.
    Mr. Tonko. OK. That was fiscal year 2018. I think I might 
have misspoken and said 2016. So you can get back to us. Can 
you give me an answer in writing after this hearing?
    Mr. Scanlon. Certainly.
    Mr. Tonko. And will you give me an answer?
    Mr. Scanlon. Yes, sir. I will.
    Mr. Tonko. OK. To make it a little more defined.
    Thank you. I'm happy to hear that you will provide us with 
a response to my question, especially since I've been reading 
reports that a White House lawyer is telling agencies not to 
answer questions from Democrats. So it's reassuring.
    GAO recently found serious weaknesses in the security 
computer systems at the Food and Drug Administration. GAO also 
found that FDA spent only about 2 percent of its IT budget on 
information security.
    Mr. Scanlon, what assurances can you give us that HHS is 
appropriately prioritizing cybersecurity as part of its overall 
IT efforts?
    Mr. Scanlon. I can tell you, sir, that the FDA response at 
the GAO audit was robust and vigorous and continues to this 
day. They have developed what we believe is a world class 
implementation of a network operating and security operating 
center to support their ongoing cybersecurity activities.
    They are major partners with us in malware analysis. They 
have one of the strongest groups of malware analysts in the 
agency and they continue to proceed to respond to that audit 
and to the generalized threat.
    The CIO has in the last year gotten agreement--this is a 
milestone agreement for HHS for all CIOs to sign on to a IT 
strategic plan. It includes an investment plan that places IT 
security at the center of the strategy for the agency and at 
the center of the work plans for each of the CIOs.
    This was developed collaboratively over a period of time, 
was signed on to by the CIOs, supported by the CISOs and is 
being executed and as part of the budget plan of what the 
agency is doing. The HCCIC itself is another element of a 
response to further enhance, consolidate and strengthen the 
ability of the agency to utilize the resources, find the 
strongest resource that we've got in any one OpDiv and make it 
available as a force multiplier to other operating divisions.
    So we are reimagining, if you will, or reorganizing the way 
we deal with cybersecurity so that we have the strongest and 
most effective use of the resources that we have.
    Mr. Tonko. Thank you. And when will that all be 
implemented? Is there a target date?
    Mr. Scanlon. The IT strategic plan is a continuous process 
that goes on the course of the strategic planning of the CIOs 
across the board.
    The HCCIC is targeted for what we call initial operating 
capability the end of this month. That means that we will have 
our full initial technical capability in place.
    We will have our funding understood and we will have 
messaged--through our organization we are now in the process of 
gathering input from the operating divisions and from senior 
leadership and that once that message is completed by the end 
of June we'll be able to have a much more concrete and 
documentable picture of where we are.
    Mr. Tonko. Right. Well, I thank you and I look forward to 
hearing from you about the IT budget at HHS and whether HHS is 
devoting enough resources internally to Cybersecurity. So I 
thank you again. With that, I yield back.
    Mr. Murphy. Thank you.
    I now recognize Mr. Collins of New York for 5 minutes.
    Mr. Collins. Thank you, Mr. Chairman. I want to thank the 
witnesses.
    This is a very timely topic we are talking about. Now, one 
of the more important parts of health care cybersecurity in our 
conversation is the capabilities of small and medium-sized 
health care organizations and device manufacturers.
    All of you today have briefly touched on the topic in your 
written testimony and there are recommendations within the task 
force report that address the concern for small and medium-
sized businesses. The fact of the matter is many of these small 
health care organizations do not have the resources to address 
cybersecurity. Even more problematic, they don't have the 
qualified personnel working for them to help them understand 
what's even at risk.
    So if you could in our limited time, if maybe I could start 
with Mr. Curren and ask you--maybe spend a minute and talk 
about that issue directly as it's small and medium-sized 
businesses that struggle to make payroll.
    They're having to make trade-offs each and every day 
whether it's R&D, manufacturing and then here's this 
cybersecurity and I think the reality is too often it's the 
last thing they're going to think about and yet, so if you 
could maybe discuss briefly your thoughts maybe for a minute or 
so about that and I'd like the other two to also speak to that.
    Mr. Curren. Thank you very much, and I'm certain we would 
all agree with that that the small and medium and rural health 
care organizations really have a critical need for health care 
cybersecurity information and resources, and the cybersecurity 
task force, of course, pointed that out. I think it also 
provided some good potential solutions or at least options to 
look at that maybe Emery can fill in on. We actually have 
looked at that within ASPR in terms of our sharing of 
information with health care organizations. It's very hard for 
small health care organizations to process the amount of 
information that's out there to know what they need to do to 
protect their systems.
    We put out a planning grant in 2015 to Harris Health System 
in the Houston area. They took a look at their colleagues in 
the entire health care system, small, medium and large-sized 
businesses to look at what are the information challenges that 
are out there and who would we need to reach most. And one of 
the findings from that study was that the small and medium 
organizations, exactly those issues that the task force pointed 
out, are where we need to focus our efforts. Based on that, we 
issued this last year in 2016 a grant to the National Health 
Information Sharing and Analysis Center, the NHISAC. That was a 
competitive grant that they won to help them to increase their 
information sharing specifically for small and medium-sized 
organizations that may not have the resources to a be a member 
of their information sharing organization.
    So it's an issue we continue to look at and that we want to 
really address.
    Mr. Collins. That's encouraging.
    Mr. Scanlon.
    Mr. Scanlon. Yes, sir. I'd point to the WannaCry event 
where during the course of that we at the HCCIC were able to 
produce--we called them one-pagers, 101s, to begin to answer 
questions from the small organizations that were on the phone--
how do I patch, how do I detect, what should I look for, what 
is the main vector that I should.
    So we were able to provide this sort of information in real 
time to folks who don't have sophisticated cybersecurity teams 
to back them up and answer their questions. We look forward to 
continue to do that as a series of products.
    I would like to just mention we once spoke to an 
administrator of a hospital in Indian Health Service, the third 
largest health care organization in the country, I believe, and 
very, very underfunded in many ways. And this administrator 
said to us, we know their social engineering, we are catching 
the phone calls, we know they're phishing us, we see the e-
mails. We don't know who they are, what they're going to do 
next and what we should do about it. Those three questions are 
the questions that HCCIC is committed to answer in conjunction 
with our partners with the support of our colleagues in ASPR 
and I think that is exactly what the task force was looking for 
as well.
    Mr. Csulak. Yes. When we looked at the task force, this was 
clearly seen as a major challenge where cybersecurity is a 
collateral duty in many of these small- and medium-sized 
organizations. They're overwhelmed with information sharing. 
How do we curate that information and simplify it and make it 
easier for a smaller number of people to adopt and embrace. How 
do we look at comprehensive education for these organizations? 
It can't just be an IT security person in there. We need to 
educate the patients. We need to educate the clinicians. We 
need to bring this to the boards. How do we bring that to a 
comprehensive thing to make sure we do that?
    And the report also talks about how do we look at shared 
services to offload the burden particularly on these small 
organizations? How do we partner with industry, with the NHISAC 
and High Trust on their initiatives that they're doing around 
this challenge of small- and medium-sized businesses? The task 
force looked at a comprehensive view and there are many ways 
and many areas, obviously, that they tried to address in the 
report.
    Mr. Collins. Well, thank you, that's all great. We are all 
focused on the same thing and the unfortunate fact is small 
businesses sometimes don't survive a cybersecurity attack that 
actually puts them down.
    So thank you, Mr. Chairman. My time has expired. I yield 
back.
    Mr. Murphy. Thank you.
    I recognize the gentleman from California, Mr. Peters, for 
5 minutes.
    Mr. Peters. Thank you very much, Mr. Chairman.
    I want to ask some questions about the WannaCry event, 
which crippled 200,000 computers in 150 countries.
    What assurances do the current U.S. policies requiring 
cyber protections provide that weren't present for medical 
systems in Europe during that attack and basically how are we 
doing--how are we better comparatively and how are we not 
better comparatively? Can you address that?
    Mr. Scanlon. So I think you're referring to the difference 
and the disparity between the effect on Europe and the effect 
on the United States.
    Mr. Peters. Was there something that we are doing better 
than them because we didn't get--or was it just good luck?
    Mr. Scanlon. In part, it was probably good luck. There's a 
great deal of analysis to try to determine exactly what 
happened and why in the course of that event. But there was 
certainly a point in time where the effect of the attack 
changed. I don't believe we were spared from everything we've 
seen in an analytical standpoint we were not spared the spread. 
We were spared the impact.
    Mr. Peters. OK. Can you help us distinguish which sort of 
medical industry cyber systems are most vulnerable to 
Cybersecurity threats like electronic health records, 
administrative systems, medical devices or machines, telehealth 
systems?
    Mr. Scanlon. This is a very, very important question. The 
health care sector is somewhat unique--not entirely unique but 
it is particularly sensitive to the phenomena of the internet 
of things and also the fact that many devices were developed 
and have been developed not with the intention of being on the 
internet and when they were put into service, when they were 
designed it was never intended that they would be able to talk 
to other devices or be attacked yet they are.
    So this represents a major investment problem and it 
produces another problem that on the normal operating 
standpoint we can deal with quite easily. We can patch our 
systems without a great deal of difficulty. We can roll out 
automated patches across tens of thousands of machines on a 
basis. You can't quite do that in a hospital when you don't 
know what the impact of that patch is going to be in an 
operating room or on a medical device that is unique in the way 
it's designed and structured.
    So the health care sector has a very different type of 
vulnerability that requires a lot of thought and a lot of 
effort to begin to address and this is part of the problem that 
we saw in the WannaCry event is that the devices that were 
unpatched were impacted by this in a very severe way and the 
difficulty of getting those patches to them was very, very 
profound for the users of the devices.
    Mr. Peters. The way you've answered that question is more 
systemic than I asked it. So I'm going to take that as implied 
that we have to continue to figure out what's going to be 
happening?
    Mr. Scanlon. Yes, sir.
    Mr. Peters. But there's many, many points of entry now, 
given these different devices and open source practices and it 
seems to me that that's going to be part of HHS' role, I 
assume, is in corralling this information and spreading best 
practices?
    Mr. Scanlon. Yes, sir. And we did that during WannaCry. The 
HCCIC and especially the Cybersecurity Working Group has--which 
represents the security practitioners across the agency from 
FDA, from CMS, from OCR, ONC and elsewhere.
    We have an effort and a task to basically get on the road 
and talk to the sector about what we know and help them 
understand where we have resources that can assist and how to 
put them in touch with resources that we don't have.
    Mr. Peters. In one sense, it's more challenging than 
Britain because Britain's health system is much more 
centralized and we have a much more decentralized system.
    So can you elaborate on the partnerships and what Congress 
needs to do to make sure that everyone's engaged?
    Mr. Curren. I can say that we are working with our partners 
to enhance the understanding of this issue, especially at the 
executive level.
    Mr. Peters. Who are you referring to as your partners?
    Mr. Curren. The partners would be the--we have a sector-
coordinating council, which is the major trained associations 
in the health care industry as well as large-, medium-, and 
small-sized companies. We----
    Mr. Peters. Hospitals?
    Mr. Curren. Hospitals are part of that but also 
associations like American Hospital Association, which help us 
reach out to--as a force multiplier to their members.
    Mr. Peters. Right.
    Mr. Curren. So those are the organizations that we are 
working aggressively with to help spread this message to--that 
it's an important issue, an issue we need investment in in the 
private sector as well.
    Mr. Peters. I'm just taking as a takeaway is that we must 
be at a very early stage of this because we don't have a lot of 
specifics about it.
    I do hope that you have the resources that you need, that 
you are sharing best practices among hospitals. Mr. Scanlon, do 
you have anything further you wanted to add?
    Mr. Scanlon. Yes, sir. I just wanted to emphasize the point 
that you're making is that the development of communications in 
this area is very important to us.
    We saw during WannaCry that there's a lot to be learned and 
a lot to----
    Mr. Peters. In the sense of information sharing?
    Mr. Scanlon. Information sharing and also alerting. We 
discovered that it's very difficult. The sector, as you noted, 
is very diverse and very disparate. So there is no one single 
channel that you can just broadcast out to. We have to find 
ways to reach down into the smaller organizations.
    One of the things that we would, of course, like to ask in 
your help in the future any advice and assistance you can give 
us to reach the constituents in your district who need to know 
this. We stand ready and would really like to assist in that.
    Mr. Peters. Well, my time has expired but I'm sure you'd 
find everyone on this panel desperate to make sure that you're 
getting this information to their districts. So I don't think 
that'll be a problem.
    Thank you, Mr. Chairman, for your indulgence.
    Mr. Murphy. I now recognize Mr. Costello for 5 minutes.
    Mr. Costello. Thank you, Mr. Chairman.
    My question is for all witnesses. It's a little long. Bear 
with me.
    During our hearing on this topic a few months ago we asked 
our witnesses whether the fact that many different pieces of 
HHS are responsible for regulating different pieces of the 
health care sector causes confusion or duplication for 
companies trying to remain compliant.
    I'd like to read to you what one of the witnesses at that 
hearing said, because I think it sums it up pretty well: 
``While many regulations that apply to cybersecurity in health 
care are well-meaning and individually effective, taken 
together they can impose a substantial legal and technical 
burden on health care organizations. These organizations must 
continually review and interpret multiple regulations, some of 
which are vague, redundant, or both. In addition, organizations 
must dedicate resources to implement policy directives that may 
not have a material impact on reducing risks.''
    This observation was also made in the task force report 
that just came out. Now that HHS has received this feedback 
from the industry, a twofold question. Will there be a review 
that looks at cybersecurity regulations across the department 
to make sure that they are aligned? Second, if duplicate, 
confusing, contradictory, or ineffective regulations are 
discovered, as I imagine they probably already have been 
discovered, how will the department address them?
    Will you look to streamline, supersede, or otherwise make 
workably clear the various regulations so that the issue is 
addressed?
    Mr. Curren. I can start off with some comments related to 
the high-level implementation of the task force report and be 
happy to have additions from my colleagues.
    The task force report really was a milestone both for 
industry and for HHS. It really set a marker down to say here 
are all the things that we can do to improve cybersecurity in 
this nation. There are more than 100 imperatives, 
recommendations, and action items in the task force report. 
About half relate to the government and about half relate to 
the private sector.
    So there's a lot of work for everyone to do. HHS right now 
is taking a look at the report and all the recommendations that 
are there, looking at which recommendations might relate to our 
current authorities and resources where we have programs 
available, where we can do good work, which ones may be of 
interest to our partners where we can work with them to help in 
implementation and also look at a time frame.
    There is so much to do and many have very long time frames 
in terms of the action items. So we'll need to prioritize and 
sequence how we do things. I think that for us the regulatory 
review would certainly be part of that overall look. We do need 
to go through the whole report though and find out where all 
the priorities are for HHS and for our partners.
    Mr. Csulak. I think as you called out in the report, the 
task force and two of the task force members who spoke in April 
highlighted these points is that harmonization of the 
regulations is a key piece and a key challenge of that.
    I think as we've looked even before the task force report 
was completed, we had already been discussing some of these 
challenges in the Cybersecurity Working Group in HHS to try to 
address some of these challenges.
    So this has already come up. We are really looking at the 
potential negative impacts of regulations and how can we change 
this from a negative to a positive. Why are we punishing people 
for trying to do the good thing when we should be encouraging 
them to make improvements and so forth?
    So do we have an answer for those right now? No. But I know 
that ONC and OCR and the other regulatory bodies within HHS 
were clearly engaged with the task force activities and the 
recommendations. They heard directly from the industry partners 
where they were having challenges and we are hoping very much 
so that those will come back through the working group as 
solutions and activities in the near future.
    Mr. Scanlon. Yes. Echoing what my colleagues have said, we 
are very well aware of two things. One, the reporting on the 
impact of these regulations is not what we would like it to be. 
We don't know exactly how big, bad or indifferent this impact 
is. We would like to know that. But we do know that it's very 
real and we are taking it very seriously. The second thing is 
there's another part of the answer to the question is that we 
are engaged in an effort through the discussion about the 
cybersecurity framework, the NIST risk management approach, and 
shifting the sector from a cybersecurity focus that is merely 
based on compliance and which is largely risk avoidance or fine 
avoidance into an actual dynamic management of the risks and to 
determine what is needed for them to do that.
    So we hope that that effort will help shape this and give 
us a greater insight into where regulations are impeding the 
ability of organizations to shift out of a pure compliance 
mode. And also the extent to which the type of threat--the 
regulations that exist were not really designed to deal with a 
cyberthreat of the type that affects us and as one of the 
members pointed out, all these systems are vulnerable.
    So it's very, very hard to avoid under some circumstances 
the sense that we are victimizing the victim and we very much 
want to get away from that and move people into an active role 
in the defense of their systems in conjunction with us.
    Mr. Costello. Thank you. I yield back.
    Mr. Murphy. I now recognize Dr. Burgess for 5 minutes.
    Mr. Burgess. Thank you, and that's an excellent place to 
start, Mr. Scanlon, or really any of you--the concept of 
victimizing the victim.
    Now, Ms. Castor from Florida talked about the Office of 
Civil Rights in Department of Health and Human Services. When 
we had our hearing here several weeks ago in April with the 
public-private partnerships in the health care sector and, 
again, as Mr. Costello was bringing up, the dual role of HHS 
and the regulator as well as being responsible for the sector-
specific integrity, it came up that there is, under the Office 
of Civil Rights under their portal there is what's called the 
Wall of Shame. Are you guys familiar with that? Is it helpful?
    Mr. Scanlon. Sir, we heard you loud and clear at that 
hearing and we took that matter back to the secretary. He has 
taken it very seriously and is working on an effort to address 
the concerns that you raised. We'd like to get back to you in 
more detail. The work is not complete but it is underway.
    Mr. Burgess. Is that something that can simply be taken 
care of within the agency?
    Mr. Scanlon. Yes, sir.
    Mr. Burgess. Or would, perhaps, it be better to have 
legislation? What concerns me is this thing's been out there. 
The first infraction was October of 2009.
    Mr. Scanlon. It's still up there.
    Mr. Burgess. A facility in Texas. Yes, and it's still up 
there.
    Mr. Scanlon. Yes, sir.
    Mr. Burgess. And you reach the threshold of 500 charts or 
whatever affected and you're up there. I don't know how that 
affects someone's ability to--does it affect their ability to 
stay in business.
    I don't know what kind of follow-up there's been done on 
whether or not access to capital has been limited because they 
appear on the Office of Civil Rights' Wall of Shame at 
Department of Health and Human Services. I can just imagine 
that that is a big deal and, again, we are victimizing the 
victim again. Why wouldn't we be helping people rather than 
continuing to penalize them?
    Mr. Scanlon. Sir, we are with you 100 percent and we are--
both what we are doing with the HCCIC to try to reach out to 
help people understand first how to avoid those. There are 
things that can be done to avoid the problems that people end 
up on the wall.
    At the same time, I think you asked about legislation. This 
is a matter to be considered at some point. The threat has 
changed. The nature of the problem has changed.
    Mr. Burgess. Correct.
    Mr. Scanlon. There are certainly matters of due diligence 
that need to be brought to attention and need to be publicized 
and people need to be called to account for those things. There 
are the matters where people are being are being attacked by 
attackers who far overwhelm their capabilities to defend 
themselves and we need to distinguish between those.
    Mr. Burgess. Sure.
    Mr. Scanlon. We did that initially. We've done that in our 
approach to cybersecurity in the federal government.
    We've adopted the risk management framework where we use a 
risk assessment approach to evaluate these to determine 
severity and to apply resources to the most severe problem 
rather than just shotgun at anything we find. So we think that 
this is a model that can be applied. That's why the task force 
and others are recommending the adoption of the cybersecurity 
framework approach and we would like to see that reflected. We 
hope to see that reflected in the way that the agency 
approaches these regulatory matters and we would like to 
continue talking with you about that as well.
    Mr. Burgess. Very well. I haven't gotten enough in-depth 
research. I don't know if the Office of Personnel Management is 
on your Wall of Shame or not. They were actually involved in a 
breach a couple of summers ago, as you may recall.
    Let me just ask you then on--and I've got a number of 
questions and I will submit them for the record because I've 
got too much to get through in this context. We had the 
ransomware attack. Fortunate in this country that it wasn't as 
bad as it could have been. But aren't there still a couple of 
sites that are having ongoing damage from that attack where 
that malware is continuing to try to lock down their files?
    Mr. Scanlon. Yes, sir, and we did a call last week to the 
sector to talk about that. There's a peculiar feature of the 
malware is that the virus itself and its encryption payload are 
two separate parts of the attack. The encryption payload has 
been defused largely or is being caught in many cases by 
antivirus and other detection systems. But the virus may have 
already been present on a system and even if the system was 
patched, when it reboots for whatever reason the virus goes 
into action and the attempt of the virus to activate itself can 
knock over certain Windows systems and bring them down and 
crash the device and that's happening globally.
    So there's an iterative process of discovering which 
machines are still vulnerable, where the virus is resident, not 
just patching but then reimaging and rebuilding the machines 
and that that's what is happening in the instances that we know 
about.
    That's basically what's going on and it's going to take 
some time for everybody to get this problem rooted out of their 
systems because of the virulent nature of it.
    Mr. Burgess. And I assume you'll have ongoing help with 
that. Good. Let me just be sure I understood you correctly. So 
we can look forward to being able to take a field trip to HCCIC 
at the end of June. Is that correct?
    Mr. Scanlon. We'd be delighted to have you.
    Mr. Burgess. All right. Well, we will await the invitation. 
Thank you very much. Thank you, Chairman.
    Mr. Murphy. Thank you. I now recognize Mr. Carter for 5 
minutes.
    Mr. Carter. Thank you, Mr. Chairman, and thank all of you 
for being here. As a health care provider for many years I can 
tell you this is extremely important and of concern to all 
health care providers for a number of reasons, not the least of 
which are the penalties involved with HIPAA and everything else 
that we are acutely aware of.
    Let me ask you, Mr. Csulak, you're the co-chair of the 
Health Care Industry Task Force and that task force has the 
charge of coordinating industry and the government side to 
cooperate with and secure digital networks. Is that correct?
    Mr. Csulak. Well, we would a task to analyse the challenges 
and create the report for action. It was, again, a one-year 
limited version of a task force to come up with these 
recommendations and is not necessarily and ongoing activity 
under the current legislation.
    Mr. Carter. OK. Well, can you describe for me your 
experiences when you first heard about the WannaCry attack and 
your interaction with industry? Can you walk me through that?
    Mr. Csulak. Yes. When we looked from a task force 
perspective on the challenges there, what we really see is, the 
task force identified and, repeat that, industry and government 
need to work together about promoting and promulgating best 
practices in cybersecurity and really, I think when you look at 
the action items that came out of WannaCry, they clearly lined 
up with the task force recommendations of focusing on those 
best practices, how do we roll those out, making sure that we 
have good cyber hygiene on our computers.
    So, I think the recommendations around WannaCry really do 
line up and successfully match to the task force 
recommendations.
    Mr. Carter. Can you give me an idea about the quality of 
the devices that hospitals are using now? Are they pretty well 
prepared, or the health care facilities, they've used a lot of 
these devices for many years. Are they up to date? Are they 
prepared? Do we need----
    Mr. Csulak. The task force members really said they run the 
gamut. We've got some organizations which are using state of 
the art information but there's a lot of large technology like 
x-ray machines and other big bill items that really are legacy 
applications, legacy operating systems which are a challenge.
    So I think when you look at the task force report it looks 
at some of those challenges. It was, like, look, we need to do 
a better job developing new stuff, secure operating systems do 
that. But we also have to look at architecture and security 
design issues around how do we segment these systems which are 
older. We still need to operate on them. Small organizations 
may not be able to really easily replace a scanner. How do we 
help them segment that stuff so it becomes less risky?
    Mr. Carter. Do you feel like we are making progress?
    Mr. Csulak. I think we are making progress. I think if you 
look at the task force report they really see this as a goal 
that industry recognizes and can embrace about coming up with 
better best practices for this. So they were very confident 
that this is an area where industry really can be a leader in 
this area and I think what we are doing is we are seeing 
progress in there but, obviously, there's a lot of room to 
grow.
    Mr. Carter. Good. Mr. Scanlon, very quickly, you're deputy 
chief information security office at DHS and the HHS designee 
for cybersecurity. One of the things in the cyberthreat 
preparedness report it identified a number of findings, 
including the fact that there are 11 components within the 
department that contribute to the health care sector threat 
preparedness. But a consistent concern that we found in 
preparing for this hearing was that there's a confusion out 
there about who to call and with some of the outside groups.
    What are we doing about this to try to clear that up?
    Mr. Scanlon. Well, sir, step one--and we are acutely aware 
of that internally ourselves. I would like to say, though, on 
the one hand there is an advantage to this large array of 
organizations that we have a 360-degree view of the sector. So 
internally our intention is to be able to get that view as a 
single view that can go out and provide a 311 capability and 
this is what the Cybersecurity Working Group is primarily 
tasked with doing.
    That, of course, takes work. That takes time. But we are 
underway doing that. We are going to be looking to you for 
support in that effort as it goes forward. But that is exactly 
a problem that we intend to solve and we saw that very clearly 
in the WannaCry event. We have solid proof of why that needs to 
be addressed and we think we have a path forward to do it.
    Mr. Carter. Great. Well, I'm out of time and I yield back.
    Mr. Murphy. Thank you.
    I will now recognize Ms. Walters for 5 minutes.
    Ms. Walters. Thank you, Mr. Chairman.
    As you mentioned in the testimony, HHS coordinated with 
NCCIC following the WannaCry attack. I have toured NCCIC and 
understand the role it plays in the cybersecurity space.
    Mr. Scanlon, I'd like to get your thoughts on how the HCCIC 
fits into the public-private partnership for the health care 
sector, specifically how it will work with NCCIC and NHISAC. On 
the surface, it appears that this could create confusion by 
adding another layer or could be duplicative of these 
organizations.
    Can you elaborate on how the HCCIC will work with the NCCIC 
and NHISAC?
    Mr. Scanlon. Yes. Thank you very much.
    Yes, the HCCIC's function is to be able to reach into what 
we were just describing as a very diverse and complex sector 
and to leverage what exists at the NCCIC level.
    So the NCCIC has the capability to coordinate across the 
sectors, across into the intelligence community and at the 
federal level through law enforcement.
    So the HCCIC's function is to start to provide a 
communication channel from the sector, especially the smaller 
and medium-sized organizations that don't necessarily know 
about NCCIC or don't really know how to get to US-CERT or might 
when they contact their local law enforcement official might or 
might not get in touch with some federal level capability.
    The HCCIC can leverage what ASPR already has, which is this 
tremendous ability to reach into the sector and become a 
transmission vehicle up to the NCCIC and do something that 
NCCIC on its own as an organization is really not quite 
designed to do. It's got a different function.
    Ms. Walters. Right.
    Mr. Scanlon. At the same time, the HCCIC is a vehicle to 
coordinate with private-sector partners. There are many ISALs. 
Emery mentioned High Trust as one that's very active. NHISAC is 
the grant award organization that is building out a portal that 
we intend to share with and provide as another major point of 
contact.
    The sector works with many, many channels. Different 
organizations communicate in different ways. What we are trying 
to do in the course of this is get out the word that this is 
where you can get coordinated information and we would like to 
be able to and intend to be able to reach to each of these 
partners and work with them and we did do that during the 
WannaCry event.
    High Trust was on the call. NHISACs were on the calls. They 
were able to provide insight and information that they had from 
their activities to the rest of the sector and we would like to 
make that not just an emergency event but an ongoing activity 
that the department carries out on a daily basis.
    Ms. Walters. OK. Were these organizations involved in the 
discussions or decision to establish the HCCIC?
    Mr. Scanlon. Not directly. We knew that the grant from ASPR 
and ONC was going to ask somebody to do that. So we didn't 
discuss with any of the bidders or the grant recipients. But we 
did discuss among ourselves how we would then be able to 
respond once that grant was awarded what would the agency do on 
its side to be able to work with that partner.
    Ms. Walters. OK. So HHS does not have any discussions with 
the Department of Homeland Security about the establishment of 
the HCCIC prior to----
    Mr. Scanlon. We had extensive discussions. In fact, it was 
people in the Department of Homeland Security who suggested 
that we move and think in this direct.
    We have talked to Department of Homeland Security about 
developing CONOPS. This is a work in progress now. We have 
talked with them about the very concerns you raised are 
concerns for us, obviously.
    We don't want to duplicate. We don't want to reproduce 
capabilities that DHS already has. We very much want to 
leverage their capabilities out to, like, the cyber hygiene 
program, which is a very scalable and valuable thing for the 
entire sector, and we want to work with DHS to figure out the 
actual escalation, communication and integration of these 
capabilities both on the emergency management side, because 
that's another aspect of DHS that's, again, well established 
and the cybersecurity side through NCCIC and US-CERT.
    Ms. Walters. OK. A second question I have is a concern that 
we've heard raised with regards to the HCCIC is that 
information shared with the center might not receive viability 
protections provided under the Cyber Information Sharing Act of 
2015.
    Has HHS determined whether or not information shared with 
HCCIC will receive CISA liability protection?
    Mr. Scanlon. Our lawyers have reviewed that and we had 
ongoing work during the WannaCry to clear that up because that 
is a widespread believe it is not correct. There are very, very 
strong protections and PCII, HIPAA, and the CISA that encourage 
the sharing of indicators and defensive measures and identify 
what information should not be shared--PII, PHI, attributable 
information. And from our standpoint, we need nothing of that 
type nor do we even need to know entity information in order to 
carry out the evaluation in analytic work that we do.
    So as I mentioned, we are working with our legal teams and 
review organizations to develop plain language descriptions of 
how those protections work and what they would provide to the 
sector so that we can have that available for people to 
understand and be clear about it.
    Ms. Walters. OK. Thank you. I'm out of time.
    Mr. Murphy. I think that concludes all of our questions for 
this panel.
    I do want to say this. I want to commend you all for the 
work you did on dealing with the WannaCry threat that occurred. 
Granted, it was not as mature or developed as it could have 
been but it was perhaps a good test run of some of your work. 
So thank you for that, and it was helpful to hear the lessons 
learned from this as you moved forward on this.
    I want to thank all of you for being here participating in 
today's hearing. I remind members they have 10 business days to 
submit questions for the record.
    I would ask that all the witnesses please agree to respond 
promptly to those questions.
    And with that, this committee remains adjourned.
    [Whereupon, at 11:53 a.m., the committee was adjourned.]
    [Material submitted for inclusion in the record follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]