b"<html>\n<title> - EXAMINING THE ROLE OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES IN HEALTH CARE CYBERSECURITY</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n \n EXAMINING THE ROLE OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES IN \n                       HEALTH CARE CYBERSECURITY\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              JUNE 8, 2017\n\n                               __________\n\n                           Serial No. 115-37\n                           \n                           \n                           \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                          \n                           \n                           \n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n                        \n                        \n                            _________ \n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n 26-585                  WASHINGTON : 2018      \n____________________________________________________________________\n For sale by the Superintendent of Documents, U.S. Government Publishing Office,\nInternet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800\n  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                         \n                        \n                        \n                        \n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          GREG WALDEN, Oregon\n                                 Chairman\nJOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey\n  Vice Chairman                        Ranking Member\nFRED UPTON, Michigan                 BOBBY L. RUSH, Illinois\nJOHN SHIMKUS, Illinois               ANNA G. ESHOO, California\nTIM MURPHY, Pennsylvania             ELIOT L. ENGEL, New York\nMICHAEL C. BURGESS, Texas            GENE GREEN, Texas\nMARSHA BLACKBURN, Tennessee          DIANA DeGETTE, Colorado\nSTEVE SCALISE, Louisiana             MICHAEL F. DOYLE, Pennsylvania\nROBERT E. LATTA, Ohio                JANICE D. SCHAKOWSKY, Illinois\nCATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina\nGREGG HARPER, Mississippi            DORIS O. MATSUI, California\nLEONARD LANCE, New Jersey            KATHY CASTOR, Florida\nBRETT GUTHRIE, Kentucky              JOHN P. SARBANES, Maryland\nPETE OLSON, Texas                    JERRY McNERNEY, California\nDAVID B. McKINLEY, West Virginia     PETER WELCH, Vermont\nADAM KINZINGER, Illinois             BEN RAY LUJAN, New Mexico\nH. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York\nGUS M. BILIRAKIS, Florida            YVETTE D. CLARKE, New York\nBILL JOHNSON, Ohio                   DAVID LOEBSACK, Iowa\nBILLY LONG, Missouri                 KURT SCHRADER, Oregon\nLARRY BUCSHON, Indiana               JOSEPH P. KENNEDY, III, \nBILL FLORES, Texas                       Massachusetts\nSUSAN W. BROOKS, Indiana             TONY CARDENAS, California\nMARKWAYNE MULLIN, Oklahoma           RAUL RUIZ, California\nRICHARD HUDSON, North Carolina       SCOTT H. PETERS, California\nCHRIS COLLINS, New York              DEBBIE DINGELL, Michigan\nKEVIN CRAMER, North Dakota\nTIM WALBERG, Michigan\nMIMI WALTERS, California\nRYAN A. COSTELLO, Pennsylvania\nEARL L. ``BUDDY'' CARTER, Georgia\n\n              Subcommittee on Oversight and Investigations\n\n                        TIM MURPHY, Pennsylvania\n                                 Chairman\nH. MORGAN GRIFFITH, Virginia         DIANA DeGETTE, Colorado\n  Vice Chairman                        Ranking Member\nJOE BARTON, Texas                    JANICE D. SCHAKOWSKY, Illinois\nMICHAEL C. BURGESS, Texas            KATHY CASTOR, Florida\nSUSAN W. BROOKS, Indiana             PAUL TONKO, New York\nCHRIS COLLINS, New York              YVETTE D. CLARKE, New York\nTIM WALBERG, Michigan                RAUL RUIZ, California\nMIMI WALTERS, California             SCOTT H. PETERS, California\nRYAN A. COSTELLO, Pennsylvania       FRANK PALLONE, Jr., New Jersey (ex \nEARL L. ``BUDDY'' CARTER, Georgia        officio)\nGREG WALDEN, Oregon (ex officio)\n  \n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Tim Murphy, a Representative in Congress from the \n  Commonwealth of Pennsylvania, opening statement................     1\n    Prepared statement...........................................     3\nHon. Diana DeGette, a Representative in Congress from the state \n  of Colorado, opening statement.................................     4\nHon. Greg Walden, a Representative in Congress from the State of \n  Oregon, opening statement......................................     5\n    Prepared statement...........................................     6\nHon. Michael C. Burgess, a Representative in Congress from the \n  State of Texas, prepared statement.............................     8\nHon. Frank Pallone, Jr., a Representative in Congress from the \n  State of New Jersey, opening statement.........................     9\n    Prepared statement...........................................    10\n\n                               Witnesses\n\nSteve Curren, Director, Division of Resilience, Office of \n  Emergency Management, Office of the Assistant Secretary for \n  Preparedness and Response, U.S. Department of Health and Human \n  Services.......................................................    11\n    Prepared statement...........................................    14\n    Answers to submitted questions...............................    47\nLeo Scanlon, Deputy Chief Information Security Officer, U.S. \n  Department of Health and Human Services........................    22\n    Prepared statement...........................................    14\n    Answers to submitted questions...............................    59\nEmery Csulak, Chief Information Security Officer and Senior \n  Privacy Official, Centers for Medicare and Medicaid Services, \n  Co-Chair, Health Care Industry Cybersecurity Task Force........    23\n    Prepared statement...........................................    14\n    Answers to submitted questions...............................    78\n\n\n EXAMINING THE ROLE OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES IN \n                       HEALTH CARE CYBERSECURITY\n\n                              ----------                              \n\n\n                         THURSDAY, JUNE 8, 2017\n\n                  House of Representatives,\n      Subcommittee on Oversight and Investigations,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:17 a.m., in \nroom 2322 Rayburn House Office Building, Hon. Tim Murphy \n(chairman of the subcommittee) presiding.\n    Members present: Representatives Murphy, Griffith, Burgess, \nBrooks, Collins, Walberg, Walters, Costello, Carter, Walden (ex \nofficio), DeGette, Castor, Tonko, Ruiz, Peters, and Pallone (ex \nofficio).\n    Staff present: Jennifer Barblan, Chief Counsel, Oversight \nand Investigations; Elena Brennan, Legislative Clerk, Oversight \nand Investigations; Katie McKeough, Press Assistant; John Ohly, \nProfessional Staff, Oversight & Investigations; Jennifer \nSherman, Press Secretary; Hamlin Wade, Special Advisor, \nExternal Affairs; Jessica Wilkerson, Professional Staff, \nOversight and Investigations; Julie Babayan, Minority Counsel; \nChris Knauer, Minority Oversight Staff Director; Miles \nLichtman, Minority Policy Analyst; Kevin McAloon, Minority \nProfessional Staff Member; Dino Papanastasiou, Minority GAO \nDetailee; Andrew Souvall, Minority Director of Communications, \nOutreach and Member Services; and C.J. Young, Minority Press \nSecretary.\n\n   OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN \n         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA\n\n    Mr. Murphy. Good morning. Commencing a hearing here on \n``Examining the Role of the Department of Health and Human \nServices on Health Care Cybersecurity.'' Welcome.\n    We are here today to continue our examination of \ncybersecurity in the health sector as we discussed at our \nhearing in April about the role of public-private partnerships. \nCybersecurity in this sector ultimately comes down to patient \nsafety. We had a glimpse just weeks ago at what a large-scale \ncyber incident could do the health care sector including the \nimpact upon patients during the WannaCry ransomware event. \nToday, we turn to the role the Department of Health and Human \nServices, HHS, has in health care cybersecurity.\n    Recognizing the critical importance of cybersecurity in \nthis sector, 2 years ago in the Cybersecurity Act of 2015 \nCongress asked HHS to undertake two evaluations: one evaluating \nthe department's internal preparedness for managing \ncyberthreats and a second done alongside industry stakeholders \nexamining the challenges with cybersecurity in the health care \nsector. These evaluations are now complete and give not only \nthe Congress but the entire health care sector an opportunity \nto better understand the agency's approach to cybersecurity. \nThe reports also allow us to establish a baseline for \nevaluating HHS' progress, moving forward.\n    HHS' internal preparedness report sets out the roles and \nresponsibilities of various HHS offices in managing \ncyberthreats, among other information. For example, the report \nidentified a single HHS' official--the cybersecurity designee--\nassigning primary responsibility for cybersecurity efforts \nacross agency. But what precisely does this mean and how does \nthe cybersecurity designee work with the 11 components \nidentified by HHS as having cybersecurity responsibilities? In \naddition, the committee has learned that many of the details \nmay already be obsolete due to recent and ongoing changes in \nHHS' internal structure.\n    For example, HHS' creation of a Health Cybersecurity and \nCommunications Center, or HCCIC, modeled on the National \nCybersecurity and Communications Integration Center, or NCCIC, \noperated by the Department of Homeland Security could \ndramatically change how HHS handles cyberthreats internally. It \nis our understanding that the HCCIC will serve as a focal point \nfor cyberthreat information, collection and dissemination from \nHHS' internal networks as well as external sources. However, \ndetails about this new function remain limited. Therefore, how \nHCCIC fits in the department's internal structure and \npreparedness as well as its role with respect to private sector \npartners will be a focus of today's discussion.\n    The second report released late last week focused broadly \non the challenges of cybersecurity in the health care industry. \nThis report reflects the findings and recommendations of the \nHealth Care Industry Cybersecurity Task Force. The task force \nmembers were selected from a wide range of stakeholder \nincluding federal agencies, the health care sector and \ncybersecurity experts. And the report does not mince words, \nbroadly concluding that health care cybersecurity is in \ncritical condition. The report identified six imperatives such \nas defining leadership and expectations for the industry, \nincreasing the security of medical devices and health IT and \nimproving information sharing within the industry. It made 27 \nspecific recommendations. Many of these recommendations call on \nHHS to provide more leadership and guidance for the sector as a \nwhole.\n    It is clear from these reports that there is much HHS can \nand should do to help elevate cybersecurity across the sector. \nThe importance of meeting this challenge head on was \nilluminated in recent weeks by the widely publicized WannaCry \nransomware. Frankly, we are lucky the United States was largely \nspared from this infection, which temporarily crippled the \nNational Health Service in England. Doctors and nurses were \nlocked out of patient records there and hospitals diverted \nambulances to nearby hospitals and cancelled nonemergency \nservices after widespread infection of the ransomware.\n    This incident was an important test of HHS' response to a \npotentially serious event and thus far the feedback has been \npositive. Reports suggested HHS took a central role in \ncoordinating resources, disseminating information and serving \nas a nurse in the public-private response efforts. But this was \njust one incident and HHS must remain vigilant. The WannaCry \ninfection was not the first widespread cyber incident nor will \nit be the last.\n    Therefore, a commitment to raising the bar for all \nparticipants in the sector no matter how large or small needs \nto be embraced. This is a collective responsibility and HHS has \nan opportunity to show leadership and to set the tone. Because \nthis is no longer just about protecting personal information or \npatient data. This is about patient safety.\n    So I want to thank our witnesses for appearing today and \nlook forward to learning more about HHS' efforts on this \nimportant topic.\n    I want to also say we recognize that this is a very, very \nserious threat and we will be asking more details about that \nlater. But one that has had that impact upon the National \nHealth Service in England, I shudder to think what happens \nhere.\n    If we are talking about threats to patients' medical \nrecords, prescribing records, medical equipment, et cetera, \nnone of this should be taken lightly. This is a very serious \nproblem.\n    [The prepared statement of Mr. Murphy follows:]\n\n                 Prepared statement of Hon. Tim Murphy\n\n    We are here today to continue our examination of \ncybersecurity in the health care sector. As we discussed at our \nhearing in April about the role of public-private partnerships, \ncybersecurity in this sector ultimately comes down to patient \nsafety. And we got a glimpse just weeks ago at what a large-\nscale cyber incident could do to the health care sector-\nincluding the impact on patients-during the WannaCry ransomware \nevent. Today, we turn to the role of the Department of Health \nand Human Services (HHS) in health care cybersecurity.\n    Recognizing the critical importance of cybersecurity in \nthis sector, two years ago, in the Cybersecurity Act of 2015, \nCongress asked HHS to undertake two evaluations-one evaluating \nthe Department's internal preparedness for managing cyber \nthreats, and a second done alongside industry stakeholders \nexamining the challenges of cybersecurity in the health care \nsector. These evaluations are now complete, and give not only \nthe Congress, but the entire health care sector, an opportunity \nto better understand the agency's approach to cybersecurity. \nThe reports also allow us to establish a baseline for \nevaluating HHS' progress moving forward.\n    HHS's internal preparedness report sets out the roles and \nresponsibilities of various HHS offices in managing cyber \nthreats, among other information. For example, the report \nidentified a single HHS official--the cybersecurity \n``designee''--as having primary responsibility for \ncybersecurity efforts across the agency. But what precisely \ndoes this mean, and how does this cybersecurity designee work \nwith the eleven components identified by HHS as having \ncybersecurity responsibilities? In addition, the Committee has \nlearned that many of the details may already be obsolete due to \nrecent and ongoing changes in HHS's internal structure.\n    For example, HHS's creation of a Health Cybersecurity and \nCommunications Integration Center (HCCIC), modeled on the \nNational Cybersecurity and Communications Integration Center \n(NCCIC) operated by the Department of Homeland Security, could \ndramatically change how HHS handles cyber threats internally. \nIt is our understanding that the HCCIC will serve as a focal \npoint for cyber threat information collection and dissemination \nfrom HHS's internal networks, as well as external sources. \nHowever, details about this new function remain limited. \nTherefore, how the HCCIC fits in to the Department's internal \nstructure and preparedness, as well as its role with respect to \nprivate sector partners will be a focus of today's discussion.\n    The second report, released late last week, focuses broadly \non the challenges of cybersecurity in the health care industry. \nThis report reflects the findings and recommendations of the \nHealth Care Industry Cybersecurity Task Force. The Task Force \nmembers were selected from a wide-range of stakeholders, \nincluding federal agencies, the health care sector and \ncybersecurity experts. The report does not mince words, broadly \nconcluding that health care cybersecurity is in critical \ncondition. The report identified six imperatives-such as \ndefining leadership and expectations for the industry, \nincreasing the security of medical devices and health IT, and \nimproving information sharing within the industry-and made 27 \nspecific recommendations. Many of these recommendations call on \nHHS to provide more leadership and guidance for the sector as a \nwhole.\n    It is clear from these reports that there is much that HHS \ncan and should do to help elevate cybersecurity across the \nsector. The importance of meeting this challenge head-on was \nilluminated in recent weeks by the widely-publicized WannaCry \nransomware. Frankly, we are lucky that that United States was \nlargely spared from this infection, which temporarily crippled \nthe National Health Service in England. Doctors and nurses were \nlocked out of patient records. Hospitals diverted ambulances to \nnearby hospitals and cancelled non-emergency services after \nwidespread infection of the ransomware.\n    This incident was an important test of HHS's response to a \npotentially serious event and thus far, the feedback has been \npositive. Reports suggest that HHS took a central role in \ncoordinating resources, disseminating information and serving \nas a nerve center for public-private response efforts. But this \nwas just one incident, and HHS must remain vigilant. The \nWannaCry infection was not the first widespread cyber incident, \nnor will it be the last.\n    Therefore, a commitment to raising the bar, for all \nparticipants in the sector--no matter how large or small, needs \nto be embraced. This is a collective responsibility and HHS has \nan opportunity to show leadership and to set the tone. Because \nthis is no longer just about protecting personal information or \npatient data. This is about patient safety.\n    I want to thank our witnesses for appearing today and look \nforward to learning more about HHS's efforts on this important \ntopic. I now recognize the Ranking Member, Ms. DeGette, for her \nopening statement.\n\n    Mr. Murphy. So I now want to recognize the ranking member, \nMs. DeGette of Colorado, for her opening statement.\n\n OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF COLORADO\n\n    Ms. DeGette. Thank you, Mr. Chairman.\n    The country's vital infrastructure is under attack by \nactors with malicious intent. We are constantly seeing new \nheadlines about vulnerabilities and cyberattacks against our \nsystems and these attacks are becoming more frequent and more \nsophisticated.\n    In the health care sector, cyberattacks are particularly \ndevastating, obviously because they can harm patients. Just \nlast month, as the chairman mentioned, WannaCry ransomware \ncrippled information systems around the world.\n    Hackers infected an estimated 200,000 computers in more \nthan 150 countries. For the systems affected in the health care \nsector, the WannaCry attack meant that patients could not get \ntheir prescriptions at pharmacies and doctors even could not \nconduct surgery in their hospitals.\n    Cyberattacks in this sector are unfortunately not a new \nproblem. For example, in 2015 more than 113 million medical \nrecords were reportedly compromised by a cyber intrusion.\n    In one widely publicized case involving a health insurance \ncompany, the personal information of nearly 79 million people \nwas compromises.\n    Cyberthreats have become a new reality that we must all \nface. Information systems connected to the internet are vital \nto the operation of our economy and our government. While this \ninterconnectedness is essential, it brings vulnerabilities and \nunique challenges.\n    Just this last week, an HHS task force released a major \nreport on how to address cyber vulnerabilities within the \ndepartment and the health care sector.\n    This report identified many cybersecurity problems \nconfronting the industry, the department and its multitude of \nhealth-related agencies.\n    These problems include a lack of cybersecurity expertise in \nthe workforce, a reliance on outdated legacy equipment and a \nfailure of certain organizations to address vulnerabilities \nthat can harm patients.\n    Our witnesses from HHS today will speak about their ongoing \nefforts to address these threats both within the department and \nwithin the larger health care sector. I am also aware that HHS \nis working on a health care cyber center which I expect we will \nalso address today.\n    As with our previous hearing on information-sharing \nanalysis centers, I think it's so important that we look for \nsolutions. But toward that end I also want to make sure that \nour solutions are measurable, efficient and effective in \nprotecting our nation's networks and systems. Defending our \nnation's health care sector against a wide range of cyber \nthreats requires a coordinated effort involving many players \nand approaches.\n    Because this is such an important area, we must continue to \nfind ways to strengthen our cybersecurity systems, particularly \nrelating to health care, including the problem of ransomware \nand the threat of insurance and medical records theft.\n    Mr. Chairman, I am looking forward to continuing to work \nclosely on these issues with you as we do our work in this \nvital area, and I yield back.\n    Mr. Murphy. Thank you.\n    I now want to recognize the chairman of the full committee, \nMr. Walden.\n\n  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF OREGON\n\n    Mr. Walden. I thank the gentleman for having this very \nimportant hearing. This is really critical work we are all \nengaged in together.\n    Our lives continue to become more interconnected every day. \nThis explosion of digital connectivity and information \ntechnology provides us with previously unimaginable \nconvenience, engagement, capabilitiesm and opportunities for \ninnovation.\n    But for all its benefits, the digitization of our daily \nlives also comes with risk. The internet information \ntechnologies are inherently insecure. With time, motivation, \nand resources, someone halfway around the world can find a way \ninto almost any product system.\n    As the opportunities for attackers proliferate, the \npotential consequences of their actions are becoming more and \nmore costly and severe. As more products, services, and \nindustries become connected to the digital world, we must \nacknowledge that the threat is no longer just data and \ninformation. It is literally public health and safety.\n    For the health care sector, these factors present a very, \nvery real threat and equally daunting challenge. As we \nwitnessed with the recent WannaCry ransomware outbreak, \nportions of the National Health System in the U.K. had to turn \naway patients except for emergency care after vulnerable \nsystems fell victim to the exploit.\n    WannaCry did not appear to be a targeted attack on health \ncare but the potential consequence of the exploit on health \ncare--including patient safety--was far more severe. If this \nhad been a more sophisticated exploit or a target attack on the \nhealth care sector, the consequences, as we all know, would \nhave been far worse.\n    The health care sector is starting to grasp this new \nreality but, as noted in the recent task force report, which we \nwill discuss today, health care cybersecurity is in ``critical \ncondition'' and requires ``immediate and aggressive \nattention,'' which brings us to today's hearing.\n    Clearly, the sector needs leadership. HHS is uniquely \nsituated to fill this void. Historically, the department has \nstruggled to effectively embrace this responsibility but that \ntrend cannot continue.\n    More recently, HHS has started to demonstrate a commitment \nand focus to addressing the rampant challenges in health care \ncybersecurity. For example, the department's actions in \nresponse to the WannaCry ransomware--coordinated through the \nnewly established HCCIC--have generally received praise from \nthe sector.\n    This and other recent actions are positive signs that the \ndepartment is heading in the right direction. But HHS has a \nlong way to go to demonstrate the leadership necessary to \ninspire change across the sector. It needs to be open and \ntransparent about who is in charge and provide clarity about \nthe roles and responsibilities, not only internally but across \nthe sector. They need to make sure that a small rural hospital \nnot only knows exactly who to call but also has access to the \nresources and information to keep their patients safe.\n    This hearing provides an opportunity for HHS to provide \nsome much-needed clarity about your internal structure, as well \nas outline plans to elevate cybersecurity across the sector.\n    The sector is operating on borrowed time. Cyber threat is \nspreading and left unchecked it will pose an increasingly \ngreater threat to public health. So we appreciate your \nguidance, your testimony and your leadership on this.\n    We look forward to continuing the partnership to make sure \nthat Americans are safe and secure wherever they are as it \nrelates to the internet.\n    [The prepared statement of Mr. Walden follows:]\n\n                 Prepared statement of Hon. Greg Walden\n\n    Our lives continue to become more interconnected every day. \nThis explosion of digital connectivity and information \ntechnology provides us with previously unimaginable \nconvenience, engagement, capabilities, and opportunities for \ninnovation.\n    For all its benefits, however, the digitization of our \ndaily lives also comes with risk. The internet and information \ntechnologies are inherently insecure. With time, motivation, \nand resources, someone halfway around the world can find a way \ninto almost any product system.\n    As the opportunities for attackers proliferate, the \npotential consequences of their actions are becoming more \nsevere. As more products, services, and industries become \nconnected to the digital world, we must acknowledge that the \nthreat is no longer just data and information--it is public \nhealth and safety.\n    For the health care sector, these factors present a very \nreal threat--and equally daunting challenge. As we witnessed \nwith the recent WannaCry ransomware outbreak, portions of the \nNational Health System in the U.K. had to turn away patients \nexcept for emergency care after vulnerable systems fell victim \nto the exploit.\n    WannaCry did not appear to be a targeted attack on health \ncare, but the potential consequence of the exploit on health \ncare--including patient safety--was far more severe. If this \nhad been a more sophisticated exploit, or a targeted attack on \nthe health care sector, the consequences could have been far \nworse.\n    The health care sector is starting to grasp this new \nreality but, as noted in the recent task force report, which we \nwill discuss today, health care cybersecurity is in ``critical \ncondition'' and requires ``immediate and aggressive \nattention.''\n    Which brings us to today's hearing. Clearly, the sector \nneeds leadership. HHS is uniquely situated to fill this void. \nHistorically, the Department has struggled to effectively \nembrace this responsibility, but that trend cannot continue.\n    More recently, HHS has started to demonstrate a commitment \nand focus to addressing the rampant challenges in health care \ncybersecurity. For example, the Department's actions in \nresponse to the WannaCry ransomware--coordinated through the \nnewly established HCCIC--have generally received praise from \nthe sector.\n    This and other recent actions are positive signs that the \nDepartment is heading in the right direction. But HHS has a \nlong way to go to demonstrate the leadership necessary to \ninspire change across the sector. It needs to be open and \ntransparent about who is in charge and provide clarity about \nthe roles and responsibilities, not only internally but across \nthe sector. They need to make sure that a small rural hospital \nnot only knows exactly who to call, but also has access to the \nresources and information to keep their patients safe.\n    This hearing provides an opportunity for HHS to provide \nsome much needed clarity about its internal structure, as well \nas outline its plan to elevate cybersecurity across the sector.\n    The sector is operating on borrowed time. The cyber threat \nis spreading and, left unchecked, it will pose an increasingly \ngreater threat to public health.\n\n    Mr. Walden. With that, I would yield time to the chairman \nof the Health Subcommittee, Dr. Burgess.\n    Mr. Burgess. Thank you, Mr. Chairman. I appreciate you \nyielding. Chairman Murphy, thank you for holding the hearing. \nIt's a timely topic and, of course, it has real physical \nconsequences.\n    I am glad to see the recently published Health Care \nIndustry Cybersecurity Task Force Report, which we have now had \navailable. It's produced by the Health Care Industry \nCybersecurity Task Force and it's a step in the right direction \nin improving our ability to prevent and respond to \ncybersecurity events. It identifies the challenges posed by the \nhealth care and public health sector in maintaining security \nacross unique platforms and devices that must work in concert \nto enable accurate and timely deliverance of patient care.\n    It's even more important when we are considering that \nhealth care information or health information isn't something \nthat can be easily changed like a credit card number or a phone \nnumber. The health information that is there is there for life \nand the integrity of the data is paramount to protecting \npatient safety. I can only imagine the consequences of changing \na person's blood type, their allergy list or their disease \ndiagnosis in a system that is relying upon that information to \ntreat patients.\n    Overall, the health care and public health sector has \nimproved its ability to manage cybersecurity events including \nthe HHS' management of the WannaCry malware. But the balance \nbetween security important data and protecting patient privacy \nneeds continuous evaluation and adjustment. It is indeed a \ndelicate balancing act.\n    Is there a point where information sharing creates more \nvulnerability in identifying entities as targets of attack? \nWhat happens when a health care organization limits the \nreporting of breaches of a sharing of information for fear of \nlosing customer confidence or becoming a target. How do we \nincrease the availability of cybersecurity professionals in the \nhealth sector?\n    So I thank our witnesses for being here. I look forward to \nthese discussions and it should be an eventful morning.\n    I yield back, Mr. Chairman.\n    [The prepared statement of Mr. Burgess follows:]\n\n             Prepared statement of Hon. Michael C. Burgess\n\n    Good morning. Cybersecurity in the health care sector is a \ntimely topic that has real, physical consequences. In almost \nthree decades as a practicing physician, ransomware was never \nan issue I faced. Now, the threats posed by malicious actors \nare almost universal across the sector due to legacy systems, \npoor cyber hygiene, and a severe shortage of qualified \ncybersecurity professionals.\n    Most cyber attacks have the potential to cause real harm, \ndepending on the severity and target. However, in health care \ncybersecurity, it is a certainty. Anytime information in the \nhealth care and public health sector is compromised, it poses a \nrisk to providers, patients, and all those who serve and supply \nthem.\n    The recent WannaCry ransomware infected thousands of \ncomputers across the world and severely impacted the health \ncare sector in the United Kingdom. While the U.S. health sector \nwas largely spared from this paralyzing malware, some \norganizations continue to deal with the effects of trying to \neradicate this virus from their systems. The ease with which \nWannaCry was able to infect so many systems is alarming--and it \nwas entirely preventable. While this particular malware only \nsought to lock information until a ransom was paid, the \nthreshold remains low for more malicious actors to access \ncritical health systems. We must work to acquire the cyber \nexpertise, resources, and structure to combat such \nvulnerabilities.\n    The report produced by the Health Care Industry \nCybersecurity task force is a step in the right direction in \nimproving our ability to prevent and respond to cybersecurity \nevents. The report also identifies the challenges posed by the \nhealth care and public health sector in maintaining security \nacross unique platforms and devices that must all work in \nconcert to enable accurate and timely patient care.\n    This is even more important when considering that health \ninformation isn't something you can easily change, such as a \ncredit card or phone number. Your health information is your \ninformation for life, and the integrity of this data is \nparamount to protecting patient safety. Can you imagine the \nconsequences of altering a person's blood type, allergies, or \ndisease diagnosis in a system relied up on by providers to \ntreat patients?\n    Overall, the health care and public health sector has \nimproved its ability to manage cybersecurity events, including \nHHS' management of the WannaCry malware that resulted in \nminimal effect on U.S. health organizations. But the balance \nbetween securing important data and protecting patient privacy \nneeds continuous evaluation and adjustment. Is there a point \nwhere information sharing creates more vulnerability by \nidentifying entities as targets of attack? What happens when \nhealth care organizations limit reporting of breaches or the \nsharing of information for fear of losing customer confidence \nor becoming a target? How do we increase the availability of \ncybersecurity professionals in the health sector? I look \nforward to discussing these and other issues with the witnesses \ntoday. Thank you.\n\n    Mr. Murphy. Thank you.\n    I now recognize Mr. Pallone for an opening statement of 5 \nminutes.\n\nOPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE \n            IN CONGRESS FROM THE STATE OF NEW JERSEY\n\n    Mr. Pallone. Thank you, Mr. Chairman.\n    This committee has a long history of examining \ncybersecurity. The federal government continues to make \nprogress towards addressing vulnerabilities in the health care \nsector. But it's clear that we still have a lot of work to do.\n    For example, the 2015 Anthem attack highlighted the need \nfor all industry members to come together and find solutions to \ncyberthreats. More recently, the WannaCry ransomware attack \ndemonstrated that cyberattacks are real-world consequences that \ncan place patients at risk. And now with the interconnection of \nhealth records and a network of connected medical devices, the \nthreat of cyberattacks on critical parts of our health care \ninfrastructure is ever present.\n    While there is no single solution, it appears the \nDepartment of Health and Human Services is making some traction \nin assisting its own agencies and private stakeholders in \nconfronting cyberthreats. We must make sure that HHS has the \nresources it needs to develop and implement a robust \ncybersecurity strategy, something I hope we can explore today.\n    Just this past week, an HHS task force released a long-\nawaited report that describes challenges and makes \nrecommendations to address cyberthreats facing the health care \nsector. The task force determined that the health care sector \nmust pay immediate and aggressive attention to cybersecurity. \nIt also made a host of important recommendations to the health \ncare industry and HHS to consider.\n    There are no easy solutions for the issues highlighted in \nthis report. I look forward to hearing how the administration \nintends to address them and, importantly, how this committee \nintends to hold HHS accountable for progress or lack of \nprogress on this issue. I am also interested in learning about \nhow HHS plans to develop its newly proposed Health \nCybersecurity and Communication Integration Center and what \nchallenges it faces in establishing and operating it.\n    And finally, Mr. Chairman, I am interested in understanding \nwhether HHS has the budgetary resource it needs to \nappropriately address its cybersecurity responsibilities. This \nincludes efforts to prevent cyberattacks. It also includes the \nHHS' responsibilities to hold regulated entities accountable, \nespecially when those entities fail to protect the sensitive \nhealth care information that we trust them to safeguard.\n    And in conclusion, Mr. Chairman, we need to up our game if \nwe intend to defend against a growing number of cyberattacks \nfacing the health care sector.\n    I am pleased to welcome our witnesses from HHS and I look \nforward to hearing from them about how HHS can enhance our \nhealth care cybersecurity. But that being said, I believe we \nstill have a long way to go to improve our preparedness in this \narea and I look forward to hearing how this committee intends \nto hold HHS accountable moving forward.\n    And I yield back. Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Pallone follows:]\n\n             Prepared statement of Hon. Frank Pallone, Jr.\n\n    Mr. Chairman, thank you for holding this hearing today.\n    This Committee has a long history of examining \ncybersecurity. The federal government continues to make \nprogress toward addressing vulnerabilities in the health care \nsector, but it is clear that we still have a lot of work to do.\n    For example, the 2015 Anthem attack highlighted the need \nfor all industry members to come together and find solutions to \ncyber threats. More recently, the ``WannaCry'' ransomware \nattack demonstrated that cyberattacks have real world \nconsequences that can place patients at risk.\n    And now, with the interconnection of health records--and a \nnetwork of connected medical devices--the threat of \ncyberattacks on critical parts of our health care \ninfrastructure is ever-present.\n    While there is no single solution, it appears the \nDepartment of Health and Human Services (HHS) is making some \ntraction in assisting its own agencies and private stakeholders \nin confronting cyber threats. We must make sure that HHS has \nthe resources it needs to develop and implement a robust \ncybersecurity strategy-something I hope we can explore today.\n    Just this past week, an HHS task force released a long-\nawaited report that describes challenges and makes \nrecommendations to address cyber threats facing the health care \nsector.\n    The task force determined that the health care sector must \npay ``immediate and aggressive attention'' to cybersecurity. It \nalso made a host of important recommendations for the health \ncare industry and HHS to consider.\n    There are no easy solutions for the issues highlighted in \nthe report. I look forward to hearing how the administration \nintends to address them--and, importantly, how this Committee \nintends to hold HHS accountable for progress, or lack of \nprogress, on this issue.\n    I am also interested in learning about how HHS plans to \ndevelop its newly proposed Health Cybersecurity and \nCommunications Integration Center, and what challenges it faces \nin establishing and operating it.\n    Finally, Mr. Chairman, I am interested in understanding \nwhether HHS has the budgetary resources it needs to \nappropriately address its cybersecurity responsibilities. This \nincludes efforts to prevent cyberattacks. It also includes the \nHHS's responsibilities to hold regulated entities accountable, \nespecially when those entities fail to protect the sensitive \nhealth care information that we trust them to safeguard.\n    In conclusion, Mr. Chairman, we need to up our game if we \nintend to defend against a growing number of cyberattacks \nfacing the health care sector.\n    I am pleased to welcome our witnesses from HHS, and I look \nforward to hearing from them about how HHS can enhance our \nhealth cybersecurity. But that being said, I believe we still \nhave a long way to go to improve our preparedness in this area, \nand I look forward to hearing how this Committee intends to \nhold HHS accountable moving forward.\n    Thank you and I yield back.\n\n    Mr. Murphy. Thank you.\n    And so now I ask unanimous consent that the members' \nwritten opening statements be introduced into the record and \nwithout objection the documents will be entered into the \nrecord.\n    Now I'd like to introduce our panel of esteemed federal \nwitnesses for today's hearing. Mr. Steve Curren, director of \nthe Division of Resilience Office of the Emergency Management \nOffice of the assistant secretary for preparedness in response. \nWelcome here.\n    Mr. Leo Scanlon, deputy chief information security officer \nand designee for cybersecurity for HHS under the Cybersecurity \nAct of 2015, welcome. And Mr. Emery Csulak--did I say that \nright? OK. Chief Information Security Officer and Senior \nPrivacy Official, Centers for Medicare and Medicaid Services \nand Co-chair of the Health Care Industry Cybersecurity Task \nForce.\n    Thank you all for being here today and providing testimony. \nWe look forward to a very productive discussion on this.\n    Now, I understand, Mr. Curren, you'll be the one presenting \nthe initial testimony? But since you all may be asked to \ncomment we will ask you all to be sworn in.\n    You're all aware that since this committee is holding an \ninvestigative hearing when so doing it has the practice of \ntaking testimony under oath. Do any of you have objections to \ntaking testimony under oath? Seeing none, the chair then \nadvises you that under the rules of the House and rules of the \ncommittee you are entitled to be advised by counsel. Do any of \nyou desire to be advised by counsel during testimony today? And \nseeing none there, too. In that case, will you all please rise \nand raise your right hand. I'll swear you in.\n    [Witnesses sworn.]\n    Thank you very much. Seeing that all have answered in the \naffirmative you're now under oath and subject to the penalties \nset forth in Title 18 Section 1001 of the United States Code.\n    So members are aware, I mentioned that the department has \nsubmitted one written testimony on behalf of all three \nwitnesses. Each plays a distinct cybersecurity role within the \ndepartment.\n    They will give a brief opening statement describing their \nroles and responsibilities. Mr. Curren will begin before \nturning to his colleagues. Each witness' opening statement is \nreflected in the department's written testimony.\n    Mr. Curren, you are recognized for an opening statement.\n\n STATEMENTS OF STEVE CURREN, DIRECTOR, DIVISION OF RESILIENCE, \n    OFFICE OF EMERGENCY MANAGEMENT, OFFICE OF THE ASSISTANT \n  SECRETARY FOR PREPAREDNESS AND RESPONSE, U.S. DEPARTMENT OF \n     HEALTH AND HUMAN SERVICES; LEO SCANLON, DEPUTY CHIEF \n  INFORMATION SECURITY OFFICER, U.S. DEPARTMENT OF HEALTH AND \n   HUMAN SERVICES; EMERY CSULAK, CHIEF INFORMATION SECURITY \n OFFICER AND SENIOR PRIVACY OFFICIAL, CENTERS FOR MEDICARE AND \nMEDICAID SERVICES, CO-CHAIR, HEALTH CARE INDUSTRY CYBERSECURITY \n                           TASK FORCE\n\n                   STATEMENT OF STEVE CURREN\n\n    Mr. Curren. Good morning, Chairman Murphy, Ranking Member \nDeGette and distinguished members of the House Energy and \nCommerce Subcommittee on Oversight and Investigations.\n    I am Steve Curren, director of the Division of Resilience \nwithin the Office of Emergency Management in the Office of the \nAssistant Secretary for Preparedness and Response, or ASPR. \nToday I will be discussing ASPR's functions and cybersecurity \nmission within the Department of Health and Human Services.\n    ASPR was authorized by the 2006 Pandemic and All-Hazards \nPreparedness Act and works within HHS with federal, state, \ntribal, territorial and local partners to protect the public \nfrom the health and medical impacts of emergencies and \ndisasters. ASPR's responsibilities are broad and include \noverseeing advanced research development and procurement of \nmedical countermeasures leading federal public health and \nmedical response efforts under the national response framework. \nServing as the federal lead agency for the health care and \npublic health sector under the National Infrastructure \nProtection Plan and providing integrated policy and strategic \ndirection under the national health security strategy.\n    ASPR's Office of Emergency Management is responsible for \nmany of ASPR's core preparedness, response and disaster \nrecovery capabilities. OEM provides communities with the \nresources necessary to support disaster planning efforts and \nensures that the health care system can respond to a wide \nvariety of emergencies. Within OEM, I am responsible for ASPR's \ncontinuity of operations program which works to ensure the \nresilience of HHS' systems and programs in the faces of \nemergencies and disruptions. I am also responsible for the \ncritical infrastructure protection program which focuses on the \nsecurity and resilience of private sector health care partners.\n    ASPR works with all levels of government and the private \nsector to mitigate risk from all hazards including physical and \ncyberthreats. Over the past 5 years, few infrastructure issues \nhave challenged the health sector more than the proliferation \nof cyberattacks. Within our modern system of health care, \nnearly everything is connected through a system of systems \nincluding dialysis machines and electronic health records. \nCyber is both a direct and a secondary threat. It could impact \neveryday patients in health care delivery by locking down \naccess to important medical information and lifesaving \nequipment. It can also exacerbate an existing emergency where \nhospitals and emergency first responders are already working a \nfrantic pace to save lives. It cannot afford to lose access to \ncommunications or risk further delays in their response.\n    Since 2014, the sector has been hit with a wave of large \nhealth care information breaches, compromising the personal \ninformation of hundreds of millions of individuals. In 2016, we \nstarted to see the rise of health care ransomware attacks. In \nthese attacks, computer malware is used to lock up the files of \nhealth care organizations while criminals demand payment in \nexchange for restored access. These attacks shifted the threat \nlandscape considerably as they no longer threaten just personal \ninformation but the ability of health care organizations and \nthus communities to provide patient care.\n    When the massive WannaCry ransomware attack hit dozens of \nhospitals in the United Kingdom just a few weeks ago, ASPR took \nimmediate action to engage broader U.S. health sector and \nensure that IT security specialists had the necessary \ninformation to protect against, respond to and report \nintrusions. This effort included calls with up to 3,100 \nparticipants each, daily messages with answers for frequently \nasked questions, resources from other federal departments and \nagencies and guidance on how to report attacks.\n    Beyond specific threats, ASPR and our partners have decided \nto organize a joint public and private sector working group for \ncybersecurity to implement national policies such as the \nNational Institute for Standards in Technology in the \ncybersecurity framework and the National Cyber Incident \nResponse Plan. We have also benefited from the Cybersecurity \nAct of 2015 which provided the sector with a structure to drive \nits continued engagement in cybersecurity.\n    ASPR led HHS' efforts to establish and support the Health \nCare Industry Cybersecurity Task Force, which has completed its \nterm and recently delivered its report to Congress.\n    In closing, HHS' cybersecurity mission is a national \nresponse requiring broad collaboration. The department is \ncommitted to safe, secure, and resilient cyber environment that \npromotes cybersecurity knowledge, innovation, confidentiality, \nand privacy in collaboration with government, private sector, \nand international partners.\n    While the cyber realm is ever evolving and presenting new \nchallenges, please be assured that HHS and our partners are \nmoving in the right direction.\n    Mr. Murphy. All right. Thank you very much.\n    I will now recognize myself for some opening questions for \n5 minutes. Oh, we are going to hear from the other ones? All \nright. I am sorry. I didn't realize how much this was going to \ngo.\n    Mr. Scanlon.\n    [The prepared statement of Messrs. Curren, Scanlon, and \nCsulak follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                    STATEMENT OF LEO SCANLON\n\n    Mr. Scanlon. Thank you.\n    Good morning, Chairman Murphy, Ranking Member DeGette, and \nmembers of the subcommittee. I am Leo Scanlon, Deputy Chief \nInformation Security Officer and the designated Senior Advisor \nfor Health Care, Public Health Sector Cybersecurity at the \nDepartment of Health and Human Services.\n    I am also the designated Senior Advisor of Public Health. I \nalready said that. I will be discussing the agency's response \nto CISA, in particular the designation of senior advisor and \nthe establishment of the Health Care Cybersecurity \nCommunications Integration Center--otherwise known as the \nHCCIC.\n    Both of these actions will support enhanced public-private \npartnerships through regular engagement and outreach to the \nsector. These actions are consistent with Executive Order 13800 \nand are a direct response to the Cybersecurity Act of 2015.\n    These critically important steps will leverage HHS \ncapabilities and outreach to help the HPH sector improve its \npreparedness for and response to security incidents now and \ninto the future.\n    The senior advisor of cybersecurity will align and \ncoordinate the internal stakeholders to collaborate with the \nprivate sector, the U.S. Department of Commerce's National \nInstitute of Standards and Technology, NIST, and the U.S. \nDepartment of Homeland Security, DHS, to develop voluntary \nguidelines to support adoption of the NIST cybersecurity \nframework and to support the HPH sector risk reduction and \nresilience.\n    DSA is the chair of the HHS Cybersecurity Working Group, \nwhich is the principal forum for coordinating cybersecurity \nsupport and response across all HHS operating divisions and \nstaff divisions. DSA and the CSWG are tasked with the job of \nestablishing a one-stop point of access to HHS cybersecurity \ncapabilities--a cyber 311 that will allow access to HHS for the \nentire sector, especially the small and rural provider entities \nwho rarely interact with the federal government and who need \nsector-specific mitigation strategies, guidance, and follow-on \nassistance in response to cyberattacks.\n    The HCCIC is designed to be the central location for HPH \ninformation sharing and will allow HHS to extend internal \nthreat sharing and analytic capability to our federal partners, \nlaw enforcement and intelligence partners, the National \nCybersecurity and Communications Integration Center, the NCCIC, \nand our private sector partners at the NHISAC and other ISALs. \nThe most important outputs of the HCCIC, though, are products \nand guidance that are human consumable by entities that do not \nhave the sophisticated technology that supports machine speed \nreaction to threat indicators. Smaller entities need \ninformation that they can use no matter what their capabilities \nare. This includes basic cybersecurity guidance, how-to \ninstructions as well as assistance in contacting specialists \nwithin HHS and assistance in accessing federal capabilities \nsuch as those that are available through the DHS and the NCCIC.\n    In the recent WannaCry mobilization, HCCIC analysts \nprovided early warning of the potential impact of the attack \nand HHS responded by putting the secretary's operation center, \nthe SOC, on alert. This was the first time that a cyberattack \nwas the focus of such a mobilization and HCCIC was able to \nsupport ASPR's interactions with the sector by providing real-\ntime cyber situation awareness, best practices guidance and \ncoordination with US-CERT and the IRT teams at the NCCIC.\n    Sector calls generated by ASPR reached thousands of health \ncare organizations and providers. One call had more than 3,000 \nlines open and continued for more than two hours of questions \nand discussion. The experiences provided a rich set of lessons \nlearned and has highlighted the disturbing reality that the \ntrue state of cybersecurity risk in the sector is under \nreported by orders of magnitude and the vast majority of the \nHPH sector is in dire need of cybersecurity assistance.\n    The SA, the HCCIC, and the CSWG have the long-term task of \nassisting the sector to shift from a compliance-oriented \nsecurity posture to a dynamic risk management approach. This \nmeans different things at different levels of the sector, but \none thing is clear. The regulatory mechanisms that served to \ncall attention to the need to protect PHI and PII are \nfundamentally challenged by the technical capabilities of \nthreat actors who operate at scale and machine speed and who \nhave brought the specter of life-threatening impact from a \ncyberattack into the operating rooms and ambulances of our \nproviders and first responders.\n    HHS is prepared to play a leading role in addressing that \nchallenge.\n\n                   STATEMENT OF EMERY CSULAK\n\n    Mr. Csulak. Thank you.\n    Chairman Murphy, Ranking Member DeGette and members of the \nsubcommittee, thank you for the opportunity to discuss the work \nof the department's Health Care Industry Cybersecurity Task \nForce.\n    In addition to my role as the chief information security \nofficer and senior official for privacy at the Centers for \nMedicare and Medicaid Services, for the last year I served as \nthe government co-chair of the task force.\n    The Cybersecurity Act of 2015 required the Department of \nHealth and Human Services to convene top subject matter experts \nfrom across industry and government to address the growing \nchallenges of cybersecurity attacks targeting health care.\n    The task force spent a year receiving and reviewing input \nfrom experts from inside and outside the health care industry \nand the general public in order to develop recommendations and \naction items for a congressional report that was released \nearlier this month. I want to thank the 21 task force members, \nincluding 17 from private sector organizations, whose \ncontributions made this report possible based on their passion \nto improve the sector.\n    The task force worked diligently to balance the industry \nand government perspectives. The task force discussions \nresulted in the development of six imperatives along with \ncascading recommendations and action items. All of these \nreflect the need for a unified effort among public and private \nsector organizations of all sizes and across all subsectors to \nwork together to meet an urgent challenge. They also reflect \nshared understanding that for the health care industry \ncybersecurity issues are, at the heart, patient safety issues.\n    I want to take this opportunity to provide a brief overview \nof some of the report's most important recommendations. These \nare the steps that can be taken within the industry as well as \nby the federal government, including recommendations for HHS to \nconsider in addressing the cybersecurity challenges facing the \nsector. A few key themes emerged from these recommendations.\n    First, the task force identified the need for cybersecurity \nleadership. The report outlines the importance of leadership to \ndrive organizational change and ensure adequate visibility \nacross organizations. For HHS cybersecurity leadership focuses \non aligning programs to ensure a consistent message and \nstandards across HHS with engagement of industry.\n    The task force also addresses the need to reduce burden for \nsmall and rural providers who may have additional challenges in \nmeeting HHS regulations. For industry, leadership focuses on \ncommunication with executives, driving change, and taking a \ncomprehensive look at the threats facing an organization. \nIndustry needs cybersecurity governance models that work for \norganizations of all sizes and provider types.\n    Second, the task force report highlights the importance of \nprotecting medical devices and other health IT. Medical devices \nand electronic health records expand the attack service which \ncan directly impact patient safety. Some issues raised in the \nreport include taking a total life cycle approach to \nrecommending a mix of regulation, accreditation, information \nsharing, and voluntary development and adoption of standards to \npromote system security from product design and development \nthrough product end of life.\n    Third, the task force found that HHS needs to make the \ndiscussion, oversight, and engagement around cybersecurity \nclearly and consistently messaged. This includes completing \nwork on a voluntary cybersecurity framework established in the \nCybersecurity Act of 2015 and harmonizing regulations and \nguidance as part of HHS' sector engagement. By speaking the \nsame language, barriers to education and improvement of the \nsector will be lowered. It is clear to members of the task \nforce that we must consider the unique needs of small and rural \norganizations as well as new entrants and innovators. These \norganizations can have different and sometimes more acute needs \nthan large organizations who have already invested in \ncybersecurity and infrastructure. Harmonizing regulations can \nhelp to reduce burden on these organizations in particular and \nthus increase patient safety.\n    Finally, the task force calls for continuing to strengthen \npublic-private partnerships. In particular, the task force \ncalls for the establishment of an ongoing public-private forum \nsimilar to the task force to further the discussions of health \ncare industry cybersecurity as the industry evolves.\n    Task force members found this engagement with federal \npartners beneficial to understand our common cybersecurity \nchallenges and concerns.\n    These efforts will also enable an ongoing conversation and \ndevelop strategies to identify resources and incentives that \nwould help to overcome the barriers faced by small and rural \norganizations.\n    While much of what we recommend will require hard work, \ndifficult decisions, and commitment of resources, we will be \nencouraged and unified by our shared values as health care \nindustry professionals in our commitment to providing safe \nhigh-quality care.\n    Thank you for the opportunity to share the task force work \nand I am happy to answer any of your questions.\n    Mr. Murphy. I thank all of our panel for your statements.\n    I want to read the opening sentence here from the Health \nCare Industry Cybersecurity Task Force, where it says the \nhealth care system cannot deliver effective and safe care \nwithout deeper digital connectivity.\n    If the health care system is connected but insecure, this \nconnectivity could betray patient safety, subjecting them to \nunnecessary risk and forcing them to pay unaffordable personal \ncosts.\n    To that end, Mr. Curren, want to highlight why this is \nimportant? In your opinion, what is at stake when health care \ninformation is compromised by a cyber threat? How bad does this \nget?\n    Mr. Curren. Thank you very much for the question.\n    It is an issue that's very important to us and that we take \nvery seriously because the risk of attacks to the health care \ninfrastructure from cyberattacks really is confidence in the \nhealth care system in general and we think that patients should \nhave confidence in the system to provide care, also to provide \nprotection to their information.\n    You asked about the need to balance two very important \nconcerns. One concern is the use of electronic medical records \nand other health technologies to advance care, to link \ninformation, to provide medical devices that provide excellent \ncare to individuals as well as provide the security to keep \nthose systems and those devices safe and that is the commitment \nI think that the task force made as we were involved in their \ndiscussions was to advance those issues together because really \nwe can't do one without the other. We need to rely on these \ntechnologies. We also need to focus on keeping them safe.\n    Mr. Murphy. But along these lines--in terms of what could \nhappen here, whether it is like what happened in the United \nKingdom--blocking a system from working entirely so voluntary \nsurgery and others and emergency care was all diverted. But it \ncould also affect things like information about what is in a \nmedical records, medications a person may take and it could \nalso interfere with the functions of a wide range of medical \ndevices. Am I clear on that?\n    Mr. Curren. There's always potential for patient safety \nissues related to cybersecurity incidents and we like to put \nthat into context.\n    We don't think the patient should overweigh the concern of \ncybersecurity risk when they go seek care. We do believe the \nbenefits of care, the benefits of these devices and these \nsystems greatly outweigh the risks that are there.\n    However, we do need to take the risks seriously. What I can \nsay is that HHS--we are set up to respond to both the cyber \nimpacts of these attacks as well as the potential physical \nimpacts, impacts on health care. Through our program ASPR, just \nto give the WannaCry example as one example, we worked very \nclosely with Leo's organization and the HCCIC. They were active \nin getting the latest information on the threat, analyzing it, \nunderstanding what the issues were and communicating that to \nour partners in the health care sector.\n    Meanwhile, we were working out of the secretary's operation \ncenter and prepared for any type of health care impact that \nthere might have been to provide resources that ASPR has to \nassist in those responses.\n    Mr. Murphy. And I appreciate it. I will get to that in a \nminute and you did play a vital role here. But I'm concerned \nabout that information about the various roles and capability \nof HHS.\n    Has it been adequately conveyed to industry yet? And this \nhas got to be a public-private partnership. So we are aware you \ncreated the HCCIC and to serve as the nexus for cybersecurity \nefforts.\n    But to date there has been little public information about \nthis new center to start. So why did HHS decide to establish \nthe HCCIC? Did someone recommend this and is there a reason for \nthis recommendation?\n    Mr. Curren. Let me start out, then I will hand it to my \ncolleague, Leo Scanlon. We have had a partnership with the \nprivate sector for many years in critical infrastructure \nprotection since Homeland Security Presidential Directive 7 in \n2003 started these infrastructure partnerships across 16 \ncritical infrastructure sectors.\n    What has changed in the past several years is the \nimportance of the cyberthreat and HHS is evolving to meet that \nthreat.\n    So we work very closely with our partners both internal to \nHHS as well as externally. So, Leo, maybe expand on the HCCIC.\n    Mr. Scanlon. Yes, sir.\n    The impulse to establish the HCCIC, continuing on what \nSteve just pointed out, is really based on the evolution of the \nway defense against these threats is carried out.\n    We've learned over the past few years that the machine \ngenerated information that we now have from our log files and \nour firewalls and other defensive devices is an enormous \nfirehose of information and ultimately has to be analyzed by \nanalysts who are specialists who can interpret, understand and \nput context to this information and that's best carried out in \na collective environment where people sit together and can \ncommunicate in real time and be in touch with their external \norganizations and other partners and this is what the NCCIC \nfloor, for example, is all about.\n    That's what it does at a national level. It allows \ndifferent sectors and organizations and intelligence \norganizations to be present, communicate and share information.\n    The HCCIC is designed to do that both across the HHS \noperating divisions to knit together the very formidable \ncapabilities that exist in each of our operation divisions of \nCMS, CDC, NIH and put them together in real time and then \nprovide real-time links to our partners externally and that's \nthe fundamental purpose of it.\n    Mr. Murphy. Who recommended this?\n    Mr. Scanlon. It was our internal decision to take the \nexisting capabilities that we have that were set up in a \ndisparate fashion, unite them in a common place and take this \nmodel of threat sharing which has now become an industry \nstandard and apply it to the challenge that we face.\n    So it was an immediate response in that sense to the CISA \nAct requirement that we develop the capacity to share threats \nin real time with the sector.\n    So that's the capability that the HCCIC provided and that \nwas the form that we determined was the most efficient and \neffective way to do that.\n    Mr. Murphy. OK. Thank you.\n    Ms. DeGette, 5 minutes.\n    Ms. DeGette. Thank you.\n    As I mentioned in my opening statement, the WannaCry \ncyberattack was really a wake-up call. So I want to talk for a \nminute about what we are doing to prevent and to respond to \nthese types of attacks in the health care sector.\n    As we heard, HHS is launching the HCCIC, or the Cyber \nCenter, and in your testimony you said that HCCIC was an \nintegral part of ASPR's coordinated response to the WannaCry \nincident.\n    So I just wanted to ask you, Mr. Curren, as you stated and \nalso I noted in my opening the Cyber Center was established to \naddress gaps in cybersecurity and also to help prevent attacks \nlike this WannaCry attack. Is that right?\n    Mr. Curren. And this would be the HCCIC.\n    Ms. DeGette. Yes.\n    Mr. Curren. Yes, and Leo could talk more to that. Within \nASPR we coordinate for the WannaCry incident response. Whether \nit's a hurricane, tornado, or cyber event, we coordinate for \nthe department. But the HCCIC was one capability within that \nfor this cyberattack to coordinate the sharing of cyber \ninformation and response.\n    Ms. DeGette. So how do you think this will happen? How do \nyou think the Cyber Center can be effective in protecting HHS' \nhealth networks and systems? Go ahead, Mr. Scanlon.\n    Mr. Scanlon. Thank you. Yes. So the value of the HCCIC is \nevidenced in the way we were able to work in the WannaCry \nincident.\n    There's a broad and very deep communications capability \nthat ASPR has to the sector. We were able to get another \ncomponent of information gathered through cybersecurity \nspecialists to provide situational awareness, which is the most \nimportant thing in a dynamic event.\n    Facts are very hard to grab when an attack like this is \ngoing on. Attribution, who is doing it, what their intentions \nare and exactly what's going to happen next all disappears on a \nfog of activity.\n    We were attempting at all times to bring the best knowledge \nthat was available across the sector from US-CERT, from the \nNCCIC, from our sector partners and communicate that out.\n    That's a capability that did not exist in a formalized way \nuntil we created the HCCIC and the intention of the HCCIC was \nto support the ASPR capability. They have all-hazards response. \nSo this is a cybersecurity function that we wanted to bring \ninto the all-hazards response capability.\n    Ms. DeGette. Yes. Now, can you talk about FDA's information \ntechnology systems? Is that something you can talk about?\n    Mr. Scanlon. I can tell you about what we did to \ncommunicate FDA's and the most important concerns that were \nraised in the----\n    Ms. DeGette. OK. Yes. Well, there was this GAO report last \nAugust that said there were major weaknesses in the FDA's \ninformation technology.\n    So what I was wondering is, number one, why were the FDA's \nIT systems allowed to be so plagued with the security issues \nand, number two, what's the agency doing about it?\n    Mr. Scanlon. I think that it would be more appropriate for \nus to take that back and get back to you with specific. None of \nus are from the FDA.\n    Ms. DeGette. Right.\n    Mr. Scanlon. So it would be not very----\n    Ms. DeGette. OK. So you don't know the answers to that?\n    Mr. Scanlon. I couldn't give you an authoritative answer.\n    Ms. DeGette. So from the HSS perspective though, you didn't \nhave very good visibility into what was happening over there. \nIs that right? At the FDA.\n    Mr. Scanlon. You're referring to the GAO audit and the \nfindings of the audit?\n    Ms. DeGette. Right. Yes.\n    Mr. Scanlon. This is not in any of our purview, honestly.\n    Ms. DeGette. OK. If you can get back to me that would be \ngood because----\n    Mr. Scanlon. We would be very happy to do that.\n    Ms. DeGette [continuing]. What we really worry about is \nthat cybersecurity attacks they're going to come throughout all \nthe government. They're not just going to focus on one agency. \nAnd so that's why we have to really----\n    Mr. Scanlon. Well, ma'am, I could say to you though that \none of the functions of the HCCIC has been to enhance the \nexisting capabilities across our operating divisions, which are \nformidable and have been very effective in many, many ways.\n    And so this is where the agency is taking steps constantly \nto evaluate, assess and improve our cybersecurity capabilities \nin all of our operating divisions.\n    Ms. DeGette. OK. Do you think there's more we could be \ndoing?\n    Mr. Scanlon. There's always more we could be doing.\n    Ms. DeGette. And what do you need from us to do more?\n    Mr. Scanlon. I don't have to say we are always looking for \nfunds to help us support these activities.\n    Ms. DeGette. So if you want funds to support the activities \nwhat would be helpful to us is to know what those activities \nyou need additional funding for.\n    Mr. Scanlon. We could certainly get back to you with \nspecifics.\n    Ms. DeGette. Great. OK. Thank, Mr. Chairman. I yield back.\n    Mr. Murphy. Thank you.\n    I now recognize the vice chair of the committee, Mr. \nGriffith, for five minutes.\n    Mr. Griffith. Thank you very much, Mr. Chairman. Thank you \nall for being here this morning. I am curious, as Congresswoman \nDeGette was talking about the FDA and she's right. They're not \ngoing to just try one door. They're going to try all the doors. \nSo I would hope that they would be included.\n    Maybe you all can help me out. I'm listening to all these \ninitials being thrown around and this is not an area I'm \ncomfortable with. HCCIC versus Health Care in Industry \nCybersecurity Task Force that was called upon to be set up as a \npart of the Cybersecurity Act. What are the differences in \nthose two?\n    Mr. Scanlon. Yes. So the HCCIC is simply an easy way to say \nthe large mouthful. The HCCIC is an organization within HHS and \nit is responding to, as I mentioned, in specific the \nrecommendations in the Cybersecurity Information Sharing Act, \nwhich requested the agency or required the agency to establish \nthe ability to do real timesharing of threat indicators with \nthe sector. So that is what the HCCIC does with respect to the \nCISA Act.\n    Mr. Griffith. All right. Any of you all can answer this who \nfeels comfortable with it--but the Health Care Industry \nCybersecurity Task Force that was supposed to be set up, what \nis that doing and how often do they meet?\n    Mr. Csulak. OK. The Health Care Industry Cybersecurity Task \nForce, again, was established as part of the Cybersecurity Act \nof 2015. It had a very segmented period of time. It was \nliterally by the legislation to only last 12 months. So we \ncompleted our work earlier this year and during that time we \nmet at least monthly with both industry as well as the \ngovernment to inform and advise the 21 members of the task \nforce in the creation of this report of really looking and \nanalysing the challenges facing health care sector in----\n    Mr. Griffith. And we appreciate that the report came out. \nSo you're telling me that you met at least 12 times during the \nyear, maybe some more?\n    Mr. Csulak. A lot more than 12 but the minimum was 12.\n    Mr. Griffith. Could you get us a number on how many times \nyou met?\n    Mr. Csulak. It is actually in the appendices of the report.\n    Mr. Griffith. Excellent.\n    Mr. Csulak. You will see every single meeting that we had \nand who attended it.\n    Mr. Griffith. All right. I appreciate that.\n    And can you tell me how the representatives were selected \nto be on the task force from both the health care sector and \nfrom the federal government?\n    Mr. Csulak. We did an open call of interested individuals \nfor that. I believe Mr. Curren actually arranged the scheduling \nof all of that but we had over a hundred candidates who were \nself-nominated or nominated by their organizations.\n    We formed a joint working group with NIST, DoD, DHS and HHS \nto look at the candidates and find candidates who represented \ncyber security practitioners in the field.\n    Each of those four agencies I just mentioned nominated one \nperson to represent the agency and then those representatives \nalong with members on the task force identified 17 of the over \n100 candidates who were interested in the positions who had \nclear cybersecurity roles as part of their duties, were not \njust executives but were actual practitioners and would \nrepresent various parts of the industry.\n    If you look at the legislation we needed to represent \ncertain fields, we wanted to look at medical devices. We wanted \nto look at providers. There was a range of capabilities that we \nwanted to deal with so that's how they were done. We narrowed \nthose down. We made sure that all of those members could be \ncommitted for a year and that's how it started.\n    Mr. Griffith. Well, I appreciate that. Now, they came out \nwith a number of recommendations and six imperatives and \ncurious what action is now being taken to see that those six \nimperatives are addressed. Fortunately, it's in the stuff that \nwe have and the first one is define and streamline leadership, \ngovernance and expectations for the health care industry \ncybersecurity. What steps do we take now? We've got a report. \nWhat's next?\n    Mr. Csulak. When we look at it, basically the department, \nHHS, has had representatives throughout the course of this \nactivity supporting the program. So although I was the \ngovernment co-chair for the activities, each of those \norganizations have leadership representatives. They have \nmembership on the Cybersecurity Working Group established \nwithin HHS and everybody is basically looking at those. And the \ntask force recognizes there's a lot there, more than we could \never possibly do in one year, and really each of the groups are \nnow stepping back and saying, how do we prioritize these, where \ndo we find the resources for these and that is kind of an \nongoing conversation that's going through the Cybersecurity \nWorking Group.\n    Mr. Griffith. And as that conversation goes on, as Ms. \nDeGette said earlier, you all need to let us know what we need \nto do, whether it's legislation or otherwise, so that we can \nassist you in that because making sure that, as you heard from \nsome of the other questions, making sure that our health \nrecords are secure and making sure that we don't have folks who \nblock us from getting to those records or using them for ill \npurpose is extremely important to all of us.\n    Thank you, and I yield back.\n    Mr. Murphy. Thank you.\n    I now recognize Ms. Castor for 5 minutes.\n    Ms. Castor. Thank you, Mr. Chairman, and thank you to all \nof you for helping to keep Americans' health records safe and \nsecure. It's clear the health care sector faces increasing \nthreats from cyberattacks and I'm concerned about the \nimplications for sensitive patient information. HHS has a large \nrole to play in protecting those records. Mr. Csulak, the \nCenters for Medicare and Medicaid Services is responsible for \nthe Medicare and Medicaid electronic health records and I \nunderstand CMS helps eligible entities adopt and use electronic \nhealth records. Is that right?\n    Mr. Csulak. How do we help them do that? Again, we \npublished some standards that we do when we are working with \nany organization. The level and engagement is interpreted to \nwhat's appropriate for the various programs.\n    Ms. Castor. So entities that handle electronic health \nrecords must comply with federal privacy and security \nregulations. It's crucial that companies are held accountable \nwhen they fail to protect consumers' private health \ninformation. Do you share that view?\n    Mr. Csulak. Absolutely.\n    Ms. Castor. And when a cyberattack occurs and private \nhealth information is compromised, HHS has the power to \ninvestigate. Specifically, the HHS Office for Civil Rights is \nempowered to investigate how the breach happened and demand \nchanges so that it doesn't happen again. Is that correct?\n    Mr. Csulak. Correct, for privacy breaches under HIPAA.\n    Ms. Castor. So do you know what is in the president's \nproposed budget for the HHS Office of Civil Rights?\n    Mr. Csulak. I can't speak outside of CMS and the task \nforce. I don't know if one of my other speakers could speak to \nthat.\n    Ms. Castor. Well, that's OK. I looked it up. The president \nis proposing a budget cut of more than $6 million to HHS' \nenforcement of civil rights and health privacy information. \nWould these proposed make it more difficult for HHS to take \naction against entities that fail to safeguard electronic \nhealth records?\n    Mr. Csulak. I think it's a tough question. Let me answer it \nfrom the task force perspective. The task force perspective \nrecognized that this is going to be an ongoing challenge and \nhow do you actually have an oversight role that scales to the \nsize of this industry with so many providers and health care \nsmall businesses out there. Can any one organization really \nscale up to be an oversight body for over a million providers \nin the United States?\n    So the task force approach said look, regardless of the \nmoney and the resources of the Office of Civil Rights, as you \nmentioned, HHS probably needs to step back and look at other \nideas.\n    What are some of the other private partner--private-public \npartnerships that we can look at? Can we look at models like \nthe SEC's stuff for audit account financing? How do we bring in \nother audit models? How do we look at other ways to do this \nwithout just relying on a large audit body within the \norganization.\n    So the task force approach really looks at saying \nregardless of the money there how do we leverage the private \nindustry to more effectively contribute to that knowledge base \nand to that body of work.\n    Ms. Castor. But you'd have to say that when you take cops \noff the beat that's not helpful in holding companies \naccountable that have violated their responsibility for privacy \nrecords.\n    I realize you're not with the HHS Office of Civil Rights \nbut here is the budget justification about the proposed cuts \nand it says the budget reduction would require decreases in \nauthorized regional investigators which would limit OCR's \ncapacity to resolve complaints and perform other related agency \nfunctions such as investigations and compliance reviews.\n    So isn't that the impression you get that cops would be \ntaken off the beat here?\n    Mr. Csulak. I really can't say, around the budget \nformulation for that activity. All I can say is that from the \ntask force perspective there are options out there and we \nshould be exploring those.\n    Ms. Castor. Well, according to an article from the HIPAA \njournal it reports that, ``Those budget cuts could affect the \nagency's HIPAA enforcement activity.''\n    So as we focus on the role of HHS and health care \ncybersecurity we must not forget the important role that HHS \nplays in enforcement privacy and security rules. I would hope \nthat if the administration is serious about health care \ncybersecurity it would make sure that it has all the resources \nnecessary for its cybersecurity responsibilities.\n    Thank you very much. I yield back.\n    Mr. Murphy. I'm curious. If you had that information from \nthe HIPAA journal and you could share that with me I'd \nappreciate that. Thank you very much.\n    Ms. Brooks, you are now recognized for 5 minutes.\n    Ms. Brooks. Thank you, Mr. Chairman.\n    Mr. Curren and Mr. Scanlon, I'm curious what lessons have \nbeen learned since the WannaCry attack. How are you taking the \nlessons learned and internalizing them within HHS, Mr. Curren, \nsince the WannaCry attack?\n    Mr. Curren. I can mention too and I'm sure we could talk \nabout many that we learned in the WannaCry attack.\n    We are an emergency response organization in ASPR. We learn \nlessons from every emergency we respond to and this is no \ndifferent. We are actually going through an after action \nprocess, which we call it, to get information on what we can \nenhance for the next response.\n    Two things we did that I think worked very well and we want \nto repeat. One is operating a cybersecurity response as an \nemergency response that marshalled the resources of the entire \ndepartment, and the secretary's leadership in that was \ninstrumental to working this issue out of the secretary's \noperation center sitting next to Leo and working calls with \nthousands of industry participants, getting information from \nother departments and agencies really was a helpful way to do \nit.\n    I think the second is that the public-private partnerships \nare essential and we can't just stand them up during \nemergencies. We say in emergency management that disaster is \nnot the time to exchange business cards and that's no different \nfor a cyber incident. We were able to exchange information with \npartners who trusted us and we trusted them with the \ninformation. We don't want to have to wait to have the final \npolished version of every piece of information we want to share \nbefore we share it. It's uncomfortable.\n    But in instances like this when time is of the essence, \nwhen systems needed to be patched we needed to get information \nout there immediately and having those trusted partnerships, \nbeing open, having a call on the first day with our partners \nreally helped us to establish those relationships and get that \ninformation out there.\n    Ms. Brooks. And before Mr. Scanlon answers, are there any \nrules or regulations or policies within HHS that are impeding \nthose lessons learned?\n    Mr. Curren, before we go on to Mr. Scanlon, are there any \nthings that are impeding or obstacles to those lessons that \nyou've learned?\n    And with respect to public-private partnerships, that was \nthe reason that in 2003 your office was created, if I recall--\n--\n    Mr. Curren. Yes.\n    Ms. Brooks [continuing]. Was to create those public-private \npartnerships across all sectors between government and \nindustry. And so it should just--it should just be how we \noperate, shouldn't it?\n    Mr. Curren. That is correct, and that is something we've \nbeen doing for a long time. I think if anything has evolved in \nthe past several years it's just the number of organizations \ninvolved in cybersecurity that we've continued to partner with \nand we've really grown that part of the partnership and that \ncame into play with WannaCry.\n    In terms of regulations or challenges that we are going to \naddress, we are working through a number of issues that we \nthink can help enhance the response and some of the matters we \nare looking at include protections for information and they \ncome into the federal government. We know the private \norganizations don't always look to the federal government as \nthe first place to share and they're concerned about legal \nliability with doing so. Even when we have protections in place \nit's essential that we are able to communicate those \nprotections in real time so they can understand them, \nappreciate them, and be compelled to or feel free or feel open \nto share that information with us.\n    So that's something that we need to do because it's a \nvoluntary mechanism going to the federal government in most \ncases for this type of sharing. So the protections that were \nprovided in the Cybersecurity Act I think take us a long way. I \nthink we still have some work to do in terms of implementation \nand really communicating that to our partners.\n    Ms. Brooks. Thank you.\n    Mr. Scanlon.\n    Mr. Scanlon. To your question as to policies that may \nimpede, our experience in WannaCry was not so much that there \nwere policies inside HHS that impede the communication in this \nemergency but it was misunderstanding of HHS policies as \nthey're currently formulated widely through the sector that \ncaused people to have a number of false ideas that we heard on \nthe calls.\n    For example, many medical device manufacturers and even \nusers of those devices believe that FDA does not allow you to \npatch a device. This is absolute incorrect. FDA makes great \nefforts to demystify that problem. But it is widely believed \nthrough the sector. We found that there was a tremendous need \nto communicate and will be an ongoing need to communicate \nbroadly and deeply what FDA's policies actually are.\n    Similarly, with OCR, and to Representative Barton's \nquestions, there are many beliefs or misunderstandings about \nwhat you can and cannot report. But the statutes--PCII, HIPAA \nand CISA--are very, very clear in their encouragement of \nreporting of cybersecurity information during an incident.\n    And, again, we feel that there's a need for much better \ncommunication. We are undertaking an effort internally to look \nat how we are presenting these policies to put them into more \nplain language and to provide plain languages guidance that is \nagreed upon by us and other partners that we can get to the \nsector, that we can get to the incident response teams and \nreally give them a framework in which they can communicate with \nus.\n    Ms. Brooks. Thank you. My time is up. I yield back.\n    Mr. Murphy. Thank you. I now recognize the gentleman from \nNew York, Mr. Tonko, for 5 minutes.\n    Mr. Tonko. Thank you, Mr. Chairman. Thank you and \nRepresentative DeGette for this hearing. I think the topic is \nextremely important.\n    Cybersecurity is a serious and multifaceted issue that will \nrequire an investment of significant resources and you began to \nget into that with earlier questioning from Representative \nDeGette.\n    And I understand that the president's budget includes some \nadditional funding for cybersecurity efforts at HHS. Mr. \nScanlon, how much of this new additional funding would be used \nto support the new Health Cybersecurity and Communications \nIntegration Center?\n    Mr. Scanlon. Well, sir, I don't know exactly the dollar \nfigure of the new funding, we have built the HCCIC essentially \nout of hide. We have taken existing capabilities and \ninvestments that have been planned and executed and realigned \nand repurposed those things to achieve this capacity and then \nwe've added in some of our additional technical spending.\n    But we are anticipating budget increases and proposals to \nbe put into a line item so that we can get a direct picture of \nwhat HCCIC needs and we would be looking forward to give you \nany more detail that we could about that.\n    Mr. Tonko. OK. And also, Mr Scanlon, and I'm asking this \nquestion because we want to make certain that our house is in \norder and that HHS has sufficient resources for its own IT \nsecurity internally. The Office of Management and Budget \nestimates that HHS is pending $13 billion on information \ntechnology. During fiscal year 2016, only about $373 million, \nas I'm informed, or 3 percent of the HHS IT budget, was devoted \nto IT security.\n    So my question to you, Mr. Scanlon, is can you give us an \nupdated figure as to how much of the HHS budget for IT is \ndevoted to IT security for fiscal year 2016?\n    Mr. Scanlon. So I think we could get back to you. The CIO \nis actively working the budget right now and we'd be glad to \nget back to you with a detailed picture of the planned and \ncurrent spending.\n    Mr. Tonko. OK. That was fiscal year 2018. I think I might \nhave misspoken and said 2016. So you can get back to us. Can \nyou give me an answer in writing after this hearing?\n    Mr. Scanlon. Certainly.\n    Mr. Tonko. And will you give me an answer?\n    Mr. Scanlon. Yes, sir. I will.\n    Mr. Tonko. OK. To make it a little more defined.\n    Thank you. I'm happy to hear that you will provide us with \na response to my question, especially since I've been reading \nreports that a White House lawyer is telling agencies not to \nanswer questions from Democrats. So it's reassuring.\n    GAO recently found serious weaknesses in the security \ncomputer systems at the Food and Drug Administration. GAO also \nfound that FDA spent only about 2 percent of its IT budget on \ninformation security.\n    Mr. Scanlon, what assurances can you give us that HHS is \nappropriately prioritizing cybersecurity as part of its overall \nIT efforts?\n    Mr. Scanlon. I can tell you, sir, that the FDA response at \nthe GAO audit was robust and vigorous and continues to this \nday. They have developed what we believe is a world class \nimplementation of a network operating and security operating \ncenter to support their ongoing cybersecurity activities.\n    They are major partners with us in malware analysis. They \nhave one of the strongest groups of malware analysts in the \nagency and they continue to proceed to respond to that audit \nand to the generalized threat.\n    The CIO has in the last year gotten agreement--this is a \nmilestone agreement for HHS for all CIOs to sign on to a IT \nstrategic plan. It includes an investment plan that places IT \nsecurity at the center of the strategy for the agency and at \nthe center of the work plans for each of the CIOs.\n    This was developed collaboratively over a period of time, \nwas signed on to by the CIOs, supported by the CISOs and is \nbeing executed and as part of the budget plan of what the \nagency is doing. The HCCIC itself is another element of a \nresponse to further enhance, consolidate and strengthen the \nability of the agency to utilize the resources, find the \nstrongest resource that we've got in any one OpDiv and make it \navailable as a force multiplier to other operating divisions.\n    So we are reimagining, if you will, or reorganizing the way \nwe deal with cybersecurity so that we have the strongest and \nmost effective use of the resources that we have.\n    Mr. Tonko. Thank you. And when will that all be \nimplemented? Is there a target date?\n    Mr. Scanlon. The IT strategic plan is a continuous process \nthat goes on the course of the strategic planning of the CIOs \nacross the board.\n    The HCCIC is targeted for what we call initial operating \ncapability the end of this month. That means that we will have \nour full initial technical capability in place.\n    We will have our funding understood and we will have \nmessaged--through our organization we are now in the process of \ngathering input from the operating divisions and from senior \nleadership and that once that message is completed by the end \nof June we'll be able to have a much more concrete and \ndocumentable picture of where we are.\n    Mr. Tonko. Right. Well, I thank you and I look forward to \nhearing from you about the IT budget at HHS and whether HHS is \ndevoting enough resources internally to Cybersecurity. So I \nthank you again. With that, I yield back.\n    Mr. Murphy. Thank you.\n    I now recognize Mr. Collins of New York for 5 minutes.\n    Mr. Collins. Thank you, Mr. Chairman. I want to thank the \nwitnesses.\n    This is a very timely topic we are talking about. Now, one \nof the more important parts of health care cybersecurity in our \nconversation is the capabilities of small and medium-sized \nhealth care organizations and device manufacturers.\n    All of you today have briefly touched on the topic in your \nwritten testimony and there are recommendations within the task \nforce report that address the concern for small and medium-\nsized businesses. The fact of the matter is many of these small \nhealth care organizations do not have the resources to address \ncybersecurity. Even more problematic, they don't have the \nqualified personnel working for them to help them understand \nwhat's even at risk.\n    So if you could in our limited time, if maybe I could start \nwith Mr. Curren and ask you--maybe spend a minute and talk \nabout that issue directly as it's small and medium-sized \nbusinesses that struggle to make payroll.\n    They're having to make trade-offs each and every day \nwhether it's R&D, manufacturing and then here's this \ncybersecurity and I think the reality is too often it's the \nlast thing they're going to think about and yet, so if you \ncould maybe discuss briefly your thoughts maybe for a minute or \nso about that and I'd like the other two to also speak to that.\n    Mr. Curren. Thank you very much, and I'm certain we would \nall agree with that that the small and medium and rural health \ncare organizations really have a critical need for health care \ncybersecurity information and resources, and the cybersecurity \ntask force, of course, pointed that out. I think it also \nprovided some good potential solutions or at least options to \nlook at that maybe Emery can fill in on. We actually have \nlooked at that within ASPR in terms of our sharing of \ninformation with health care organizations. It's very hard for \nsmall health care organizations to process the amount of \ninformation that's out there to know what they need to do to \nprotect their systems.\n    We put out a planning grant in 2015 to Harris Health System \nin the Houston area. They took a look at their colleagues in \nthe entire health care system, small, medium and large-sized \nbusinesses to look at what are the information challenges that \nare out there and who would we need to reach most. And one of \nthe findings from that study was that the small and medium \norganizations, exactly those issues that the task force pointed \nout, are where we need to focus our efforts. Based on that, we \nissued this last year in 2016 a grant to the National Health \nInformation Sharing and Analysis Center, the NHISAC. That was a \ncompetitive grant that they won to help them to increase their \ninformation sharing specifically for small and medium-sized \norganizations that may not have the resources to a be a member \nof their information sharing organization.\n    So it's an issue we continue to look at and that we want to \nreally address.\n    Mr. Collins. That's encouraging.\n    Mr. Scanlon.\n    Mr. Scanlon. Yes, sir. I'd point to the WannaCry event \nwhere during the course of that we at the HCCIC were able to \nproduce--we called them one-pagers, 101s, to begin to answer \nquestions from the small organizations that were on the phone--\nhow do I patch, how do I detect, what should I look for, what \nis the main vector that I should.\n    So we were able to provide this sort of information in real \ntime to folks who don't have sophisticated cybersecurity teams \nto back them up and answer their questions. We look forward to \ncontinue to do that as a series of products.\n    I would like to just mention we once spoke to an \nadministrator of a hospital in Indian Health Service, the third \nlargest health care organization in the country, I believe, and \nvery, very underfunded in many ways. And this administrator \nsaid to us, we know their social engineering, we are catching \nthe phone calls, we know they're phishing us, we see the e-\nmails. We don't know who they are, what they're going to do \nnext and what we should do about it. Those three questions are \nthe questions that HCCIC is committed to answer in conjunction \nwith our partners with the support of our colleagues in ASPR \nand I think that is exactly what the task force was looking for \nas well.\n    Mr. Csulak. Yes. When we looked at the task force, this was \nclearly seen as a major challenge where cybersecurity is a \ncollateral duty in many of these small- and medium-sized \norganizations. They're overwhelmed with information sharing. \nHow do we curate that information and simplify it and make it \neasier for a smaller number of people to adopt and embrace. How \ndo we look at comprehensive education for these organizations? \nIt can't just be an IT security person in there. We need to \neducate the patients. We need to educate the clinicians. We \nneed to bring this to the boards. How do we bring that to a \ncomprehensive thing to make sure we do that?\n    And the report also talks about how do we look at shared \nservices to offload the burden particularly on these small \norganizations? How do we partner with industry, with the NHISAC \nand High Trust on their initiatives that they're doing around \nthis challenge of small- and medium-sized businesses? The task \nforce looked at a comprehensive view and there are many ways \nand many areas, obviously, that they tried to address in the \nreport.\n    Mr. Collins. Well, thank you, that's all great. We are all \nfocused on the same thing and the unfortunate fact is small \nbusinesses sometimes don't survive a cybersecurity attack that \nactually puts them down.\n    So thank you, Mr. Chairman. My time has expired. I yield \nback.\n    Mr. Murphy. Thank you.\n    I recognize the gentleman from California, Mr. Peters, for \n5 minutes.\n    Mr. Peters. Thank you very much, Mr. Chairman.\n    I want to ask some questions about the WannaCry event, \nwhich crippled 200,000 computers in 150 countries.\n    What assurances do the current U.S. policies requiring \ncyber protections provide that weren't present for medical \nsystems in Europe during that attack and basically how are we \ndoing--how are we better comparatively and how are we not \nbetter comparatively? Can you address that?\n    Mr. Scanlon. So I think you're referring to the difference \nand the disparity between the effect on Europe and the effect \non the United States.\n    Mr. Peters. Was there something that we are doing better \nthan them because we didn't get--or was it just good luck?\n    Mr. Scanlon. In part, it was probably good luck. There's a \ngreat deal of analysis to try to determine exactly what \nhappened and why in the course of that event. But there was \ncertainly a point in time where the effect of the attack \nchanged. I don't believe we were spared from everything we've \nseen in an analytical standpoint we were not spared the spread. \nWe were spared the impact.\n    Mr. Peters. OK. Can you help us distinguish which sort of \nmedical industry cyber systems are most vulnerable to \nCybersecurity threats like electronic health records, \nadministrative systems, medical devices or machines, telehealth \nsystems?\n    Mr. Scanlon. This is a very, very important question. The \nhealth care sector is somewhat unique--not entirely unique but \nit is particularly sensitive to the phenomena of the internet \nof things and also the fact that many devices were developed \nand have been developed not with the intention of being on the \ninternet and when they were put into service, when they were \ndesigned it was never intended that they would be able to talk \nto other devices or be attacked yet they are.\n    So this represents a major investment problem and it \nproduces another problem that on the normal operating \nstandpoint we can deal with quite easily. We can patch our \nsystems without a great deal of difficulty. We can roll out \nautomated patches across tens of thousands of machines on a \nbasis. You can't quite do that in a hospital when you don't \nknow what the impact of that patch is going to be in an \noperating room or on a medical device that is unique in the way \nit's designed and structured.\n    So the health care sector has a very different type of \nvulnerability that requires a lot of thought and a lot of \neffort to begin to address and this is part of the problem that \nwe saw in the WannaCry event is that the devices that were \nunpatched were impacted by this in a very severe way and the \ndifficulty of getting those patches to them was very, very \nprofound for the users of the devices.\n    Mr. Peters. The way you've answered that question is more \nsystemic than I asked it. So I'm going to take that as implied \nthat we have to continue to figure out what's going to be \nhappening?\n    Mr. Scanlon. Yes, sir.\n    Mr. Peters. But there's many, many points of entry now, \ngiven these different devices and open source practices and it \nseems to me that that's going to be part of HHS' role, I \nassume, is in corralling this information and spreading best \npractices?\n    Mr. Scanlon. Yes, sir. And we did that during WannaCry. The \nHCCIC and especially the Cybersecurity Working Group has--which \nrepresents the security practitioners across the agency from \nFDA, from CMS, from OCR, ONC and elsewhere.\n    We have an effort and a task to basically get on the road \nand talk to the sector about what we know and help them \nunderstand where we have resources that can assist and how to \nput them in touch with resources that we don't have.\n    Mr. Peters. In one sense, it's more challenging than \nBritain because Britain's health system is much more \ncentralized and we have a much more decentralized system.\n    So can you elaborate on the partnerships and what Congress \nneeds to do to make sure that everyone's engaged?\n    Mr. Curren. I can say that we are working with our partners \nto enhance the understanding of this issue, especially at the \nexecutive level.\n    Mr. Peters. Who are you referring to as your partners?\n    Mr. Curren. The partners would be the--we have a sector-\ncoordinating council, which is the major trained associations \nin the health care industry as well as large-, medium-, and \nsmall-sized companies. We----\n    Mr. Peters. Hospitals?\n    Mr. Curren. Hospitals are part of that but also \nassociations like American Hospital Association, which help us \nreach out to--as a force multiplier to their members.\n    Mr. Peters. Right.\n    Mr. Curren. So those are the organizations that we are \nworking aggressively with to help spread this message to--that \nit's an important issue, an issue we need investment in in the \nprivate sector as well.\n    Mr. Peters. I'm just taking as a takeaway is that we must \nbe at a very early stage of this because we don't have a lot of \nspecifics about it.\n    I do hope that you have the resources that you need, that \nyou are sharing best practices among hospitals. Mr. Scanlon, do \nyou have anything further you wanted to add?\n    Mr. Scanlon. Yes, sir. I just wanted to emphasize the point \nthat you're making is that the development of communications in \nthis area is very important to us.\n    We saw during WannaCry that there's a lot to be learned and \na lot to----\n    Mr. Peters. In the sense of information sharing?\n    Mr. Scanlon. Information sharing and also alerting. We \ndiscovered that it's very difficult. The sector, as you noted, \nis very diverse and very disparate. So there is no one single \nchannel that you can just broadcast out to. We have to find \nways to reach down into the smaller organizations.\n    One of the things that we would, of course, like to ask in \nyour help in the future any advice and assistance you can give \nus to reach the constituents in your district who need to know \nthis. We stand ready and would really like to assist in that.\n    Mr. Peters. Well, my time has expired but I'm sure you'd \nfind everyone on this panel desperate to make sure that you're \ngetting this information to their districts. So I don't think \nthat'll be a problem.\n    Thank you, Mr. Chairman, for your indulgence.\n    Mr. Murphy. I now recognize Mr. Costello for 5 minutes.\n    Mr. Costello. Thank you, Mr. Chairman.\n    My question is for all witnesses. It's a little long. Bear \nwith me.\n    During our hearing on this topic a few months ago we asked \nour witnesses whether the fact that many different pieces of \nHHS are responsible for regulating different pieces of the \nhealth care sector causes confusion or duplication for \ncompanies trying to remain compliant.\n    I'd like to read to you what one of the witnesses at that \nhearing said, because I think it sums it up pretty well: \n``While many regulations that apply to cybersecurity in health \ncare are well-meaning and individually effective, taken \ntogether they can impose a substantial legal and technical \nburden on health care organizations. These organizations must \ncontinually review and interpret multiple regulations, some of \nwhich are vague, redundant, or both. In addition, organizations \nmust dedicate resources to implement policy directives that may \nnot have a material impact on reducing risks.''\n    This observation was also made in the task force report \nthat just came out. Now that HHS has received this feedback \nfrom the industry, a twofold question. Will there be a review \nthat looks at cybersecurity regulations across the department \nto make sure that they are aligned? Second, if duplicate, \nconfusing, contradictory, or ineffective regulations are \ndiscovered, as I imagine they probably already have been \ndiscovered, how will the department address them?\n    Will you look to streamline, supersede, or otherwise make \nworkably clear the various regulations so that the issue is \naddressed?\n    Mr. Curren. I can start off with some comments related to \nthe high-level implementation of the task force report and be \nhappy to have additions from my colleagues.\n    The task force report really was a milestone both for \nindustry and for HHS. It really set a marker down to say here \nare all the things that we can do to improve cybersecurity in \nthis nation. There are more than 100 imperatives, \nrecommendations, and action items in the task force report. \nAbout half relate to the government and about half relate to \nthe private sector.\n    So there's a lot of work for everyone to do. HHS right now \nis taking a look at the report and all the recommendations that \nare there, looking at which recommendations might relate to our \ncurrent authorities and resources where we have programs \navailable, where we can do good work, which ones may be of \ninterest to our partners where we can work with them to help in \nimplementation and also look at a time frame.\n    There is so much to do and many have very long time frames \nin terms of the action items. So we'll need to prioritize and \nsequence how we do things. I think that for us the regulatory \nreview would certainly be part of that overall look. We do need \nto go through the whole report though and find out where all \nthe priorities are for HHS and for our partners.\n    Mr. Csulak. I think as you called out in the report, the \ntask force and two of the task force members who spoke in April \nhighlighted these points is that harmonization of the \nregulations is a key piece and a key challenge of that.\n    I think as we've looked even before the task force report \nwas completed, we had already been discussing some of these \nchallenges in the Cybersecurity Working Group in HHS to try to \naddress some of these challenges.\n    So this has already come up. We are really looking at the \npotential negative impacts of regulations and how can we change \nthis from a negative to a positive. Why are we punishing people \nfor trying to do the good thing when we should be encouraging \nthem to make improvements and so forth?\n    So do we have an answer for those right now? No. But I know \nthat ONC and OCR and the other regulatory bodies within HHS \nwere clearly engaged with the task force activities and the \nrecommendations. They heard directly from the industry partners \nwhere they were having challenges and we are hoping very much \nso that those will come back through the working group as \nsolutions and activities in the near future.\n    Mr. Scanlon. Yes. Echoing what my colleagues have said, we \nare very well aware of two things. One, the reporting on the \nimpact of these regulations is not what we would like it to be. \nWe don't know exactly how big, bad or indifferent this impact \nis. We would like to know that. But we do know that it's very \nreal and we are taking it very seriously. The second thing is \nthere's another part of the answer to the question is that we \nare engaged in an effort through the discussion about the \ncybersecurity framework, the NIST risk management approach, and \nshifting the sector from a cybersecurity focus that is merely \nbased on compliance and which is largely risk avoidance or fine \navoidance into an actual dynamic management of the risks and to \ndetermine what is needed for them to do that.\n    So we hope that that effort will help shape this and give \nus a greater insight into where regulations are impeding the \nability of organizations to shift out of a pure compliance \nmode. And also the extent to which the type of threat--the \nregulations that exist were not really designed to deal with a \ncyberthreat of the type that affects us and as one of the \nmembers pointed out, all these systems are vulnerable.\n    So it's very, very hard to avoid under some circumstances \nthe sense that we are victimizing the victim and we very much \nwant to get away from that and move people into an active role \nin the defense of their systems in conjunction with us.\n    Mr. Costello. Thank you. I yield back.\n    Mr. Murphy. I now recognize Dr. Burgess for 5 minutes.\n    Mr. Burgess. Thank you, and that's an excellent place to \nstart, Mr. Scanlon, or really any of you--the concept of \nvictimizing the victim.\n    Now, Ms. Castor from Florida talked about the Office of \nCivil Rights in Department of Health and Human Services. When \nwe had our hearing here several weeks ago in April with the \npublic-private partnerships in the health care sector and, \nagain, as Mr. Costello was bringing up, the dual role of HHS \nand the regulator as well as being responsible for the sector-\nspecific integrity, it came up that there is, under the Office \nof Civil Rights under their portal there is what's called the \nWall of Shame. Are you guys familiar with that? Is it helpful?\n    Mr. Scanlon. Sir, we heard you loud and clear at that \nhearing and we took that matter back to the secretary. He has \ntaken it very seriously and is working on an effort to address \nthe concerns that you raised. We'd like to get back to you in \nmore detail. The work is not complete but it is underway.\n    Mr. Burgess. Is that something that can simply be taken \ncare of within the agency?\n    Mr. Scanlon. Yes, sir.\n    Mr. Burgess. Or would, perhaps, it be better to have \nlegislation? What concerns me is this thing's been out there. \nThe first infraction was October of 2009.\n    Mr. Scanlon. It's still up there.\n    Mr. Burgess. A facility in Texas. Yes, and it's still up \nthere.\n    Mr. Scanlon. Yes, sir.\n    Mr. Burgess. And you reach the threshold of 500 charts or \nwhatever affected and you're up there. I don't know how that \naffects someone's ability to--does it affect their ability to \nstay in business.\n    I don't know what kind of follow-up there's been done on \nwhether or not access to capital has been limited because they \nappear on the Office of Civil Rights' Wall of Shame at \nDepartment of Health and Human Services. I can just imagine \nthat that is a big deal and, again, we are victimizing the \nvictim again. Why wouldn't we be helping people rather than \ncontinuing to penalize them?\n    Mr. Scanlon. Sir, we are with you 100 percent and we are--\nboth what we are doing with the HCCIC to try to reach out to \nhelp people understand first how to avoid those. There are \nthings that can be done to avoid the problems that people end \nup on the wall.\n    At the same time, I think you asked about legislation. This \nis a matter to be considered at some point. The threat has \nchanged. The nature of the problem has changed.\n    Mr. Burgess. Correct.\n    Mr. Scanlon. There are certainly matters of due diligence \nthat need to be brought to attention and need to be publicized \nand people need to be called to account for those things. There \nare the matters where people are being are being attacked by \nattackers who far overwhelm their capabilities to defend \nthemselves and we need to distinguish between those.\n    Mr. Burgess. Sure.\n    Mr. Scanlon. We did that initially. We've done that in our \napproach to cybersecurity in the federal government.\n    We've adopted the risk management framework where we use a \nrisk assessment approach to evaluate these to determine \nseverity and to apply resources to the most severe problem \nrather than just shotgun at anything we find. So we think that \nthis is a model that can be applied. That's why the task force \nand others are recommending the adoption of the cybersecurity \nframework approach and we would like to see that reflected. We \nhope to see that reflected in the way that the agency \napproaches these regulatory matters and we would like to \ncontinue talking with you about that as well.\n    Mr. Burgess. Very well. I haven't gotten enough in-depth \nresearch. I don't know if the Office of Personnel Management is \non your Wall of Shame or not. They were actually involved in a \nbreach a couple of summers ago, as you may recall.\n    Let me just ask you then on--and I've got a number of \nquestions and I will submit them for the record because I've \ngot too much to get through in this context. We had the \nransomware attack. Fortunate in this country that it wasn't as \nbad as it could have been. But aren't there still a couple of \nsites that are having ongoing damage from that attack where \nthat malware is continuing to try to lock down their files?\n    Mr. Scanlon. Yes, sir, and we did a call last week to the \nsector to talk about that. There's a peculiar feature of the \nmalware is that the virus itself and its encryption payload are \ntwo separate parts of the attack. The encryption payload has \nbeen defused largely or is being caught in many cases by \nantivirus and other detection systems. But the virus may have \nalready been present on a system and even if the system was \npatched, when it reboots for whatever reason the virus goes \ninto action and the attempt of the virus to activate itself can \nknock over certain Windows systems and bring them down and \ncrash the device and that's happening globally.\n    So there's an iterative process of discovering which \nmachines are still vulnerable, where the virus is resident, not \njust patching but then reimaging and rebuilding the machines \nand that that's what is happening in the instances that we know \nabout.\n    That's basically what's going on and it's going to take \nsome time for everybody to get this problem rooted out of their \nsystems because of the virulent nature of it.\n    Mr. Burgess. And I assume you'll have ongoing help with \nthat. Good. Let me just be sure I understood you correctly. So \nwe can look forward to being able to take a field trip to HCCIC \nat the end of June. Is that correct?\n    Mr. Scanlon. We'd be delighted to have you.\n    Mr. Burgess. All right. Well, we will await the invitation. \nThank you very much. Thank you, Chairman.\n    Mr. Murphy. Thank you. I now recognize Mr. Carter for 5 \nminutes.\n    Mr. Carter. Thank you, Mr. Chairman, and thank all of you \nfor being here. As a health care provider for many years I can \ntell you this is extremely important and of concern to all \nhealth care providers for a number of reasons, not the least of \nwhich are the penalties involved with HIPAA and everything else \nthat we are acutely aware of.\n    Let me ask you, Mr. Csulak, you're the co-chair of the \nHealth Care Industry Task Force and that task force has the \ncharge of coordinating industry and the government side to \ncooperate with and secure digital networks. Is that correct?\n    Mr. Csulak. Well, we would a task to analyse the challenges \nand create the report for action. It was, again, a one-year \nlimited version of a task force to come up with these \nrecommendations and is not necessarily and ongoing activity \nunder the current legislation.\n    Mr. Carter. OK. Well, can you describe for me your \nexperiences when you first heard about the WannaCry attack and \nyour interaction with industry? Can you walk me through that?\n    Mr. Csulak. Yes. When we looked from a task force \nperspective on the challenges there, what we really see is, the \ntask force identified and, repeat that, industry and government \nneed to work together about promoting and promulgating best \npractices in cybersecurity and really, I think when you look at \nthe action items that came out of WannaCry, they clearly lined \nup with the task force recommendations of focusing on those \nbest practices, how do we roll those out, making sure that we \nhave good cyber hygiene on our computers.\n    So, I think the recommendations around WannaCry really do \nline up and successfully match to the task force \nrecommendations.\n    Mr. Carter. Can you give me an idea about the quality of \nthe devices that hospitals are using now? Are they pretty well \nprepared, or the health care facilities, they've used a lot of \nthese devices for many years. Are they up to date? Are they \nprepared? Do we need----\n    Mr. Csulak. The task force members really said they run the \ngamut. We've got some organizations which are using state of \nthe art information but there's a lot of large technology like \nx-ray machines and other big bill items that really are legacy \napplications, legacy operating systems which are a challenge.\n    So I think when you look at the task force report it looks \nat some of those challenges. It was, like, look, we need to do \na better job developing new stuff, secure operating systems do \nthat. But we also have to look at architecture and security \ndesign issues around how do we segment these systems which are \nolder. We still need to operate on them. Small organizations \nmay not be able to really easily replace a scanner. How do we \nhelp them segment that stuff so it becomes less risky?\n    Mr. Carter. Do you feel like we are making progress?\n    Mr. Csulak. I think we are making progress. I think if you \nlook at the task force report they really see this as a goal \nthat industry recognizes and can embrace about coming up with \nbetter best practices for this. So they were very confident \nthat this is an area where industry really can be a leader in \nthis area and I think what we are doing is we are seeing \nprogress in there but, obviously, there's a lot of room to \ngrow.\n    Mr. Carter. Good. Mr. Scanlon, very quickly, you're deputy \nchief information security office at DHS and the HHS designee \nfor cybersecurity. One of the things in the cyberthreat \npreparedness report it identified a number of findings, \nincluding the fact that there are 11 components within the \ndepartment that contribute to the health care sector threat \npreparedness. But a consistent concern that we found in \npreparing for this hearing was that there's a confusion out \nthere about who to call and with some of the outside groups.\n    What are we doing about this to try to clear that up?\n    Mr. Scanlon. Well, sir, step one--and we are acutely aware \nof that internally ourselves. I would like to say, though, on \nthe one hand there is an advantage to this large array of \norganizations that we have a 360-degree view of the sector. So \ninternally our intention is to be able to get that view as a \nsingle view that can go out and provide a 311 capability and \nthis is what the Cybersecurity Working Group is primarily \ntasked with doing.\n    That, of course, takes work. That takes time. But we are \nunderway doing that. We are going to be looking to you for \nsupport in that effort as it goes forward. But that is exactly \na problem that we intend to solve and we saw that very clearly \nin the WannaCry event. We have solid proof of why that needs to \nbe addressed and we think we have a path forward to do it.\n    Mr. Carter. Great. Well, I'm out of time and I yield back.\n    Mr. Murphy. Thank you.\n    I will now recognize Ms. Walters for 5 minutes.\n    Ms. Walters. Thank you, Mr. Chairman.\n    As you mentioned in the testimony, HHS coordinated with \nNCCIC following the WannaCry attack. I have toured NCCIC and \nunderstand the role it plays in the cybersecurity space.\n    Mr. Scanlon, I'd like to get your thoughts on how the HCCIC \nfits into the public-private partnership for the health care \nsector, specifically how it will work with NCCIC and NHISAC. On \nthe surface, it appears that this could create confusion by \nadding another layer or could be duplicative of these \norganizations.\n    Can you elaborate on how the HCCIC will work with the NCCIC \nand NHISAC?\n    Mr. Scanlon. Yes. Thank you very much.\n    Yes, the HCCIC's function is to be able to reach into what \nwe were just describing as a very diverse and complex sector \nand to leverage what exists at the NCCIC level.\n    So the NCCIC has the capability to coordinate across the \nsectors, across into the intelligence community and at the \nfederal level through law enforcement.\n    So the HCCIC's function is to start to provide a \ncommunication channel from the sector, especially the smaller \nand medium-sized organizations that don't necessarily know \nabout NCCIC or don't really know how to get to US-CERT or might \nwhen they contact their local law enforcement official might or \nmight not get in touch with some federal level capability.\n    The HCCIC can leverage what ASPR already has, which is this \ntremendous ability to reach into the sector and become a \ntransmission vehicle up to the NCCIC and do something that \nNCCIC on its own as an organization is really not quite \ndesigned to do. It's got a different function.\n    Ms. Walters. Right.\n    Mr. Scanlon. At the same time, the HCCIC is a vehicle to \ncoordinate with private-sector partners. There are many ISALs. \nEmery mentioned High Trust as one that's very active. NHISAC is \nthe grant award organization that is building out a portal that \nwe intend to share with and provide as another major point of \ncontact.\n    The sector works with many, many channels. Different \norganizations communicate in different ways. What we are trying \nto do in the course of this is get out the word that this is \nwhere you can get coordinated information and we would like to \nbe able to and intend to be able to reach to each of these \npartners and work with them and we did do that during the \nWannaCry event.\n    High Trust was on the call. NHISACs were on the calls. They \nwere able to provide insight and information that they had from \ntheir activities to the rest of the sector and we would like to \nmake that not just an emergency event but an ongoing activity \nthat the department carries out on a daily basis.\n    Ms. Walters. OK. Were these organizations involved in the \ndiscussions or decision to establish the HCCIC?\n    Mr. Scanlon. Not directly. We knew that the grant from ASPR \nand ONC was going to ask somebody to do that. So we didn't \ndiscuss with any of the bidders or the grant recipients. But we \ndid discuss among ourselves how we would then be able to \nrespond once that grant was awarded what would the agency do on \nits side to be able to work with that partner.\n    Ms. Walters. OK. So HHS does not have any discussions with \nthe Department of Homeland Security about the establishment of \nthe HCCIC prior to----\n    Mr. Scanlon. We had extensive discussions. In fact, it was \npeople in the Department of Homeland Security who suggested \nthat we move and think in this direct.\n    We have talked to Department of Homeland Security about \ndeveloping CONOPS. This is a work in progress now. We have \ntalked with them about the very concerns you raised are \nconcerns for us, obviously.\n    We don't want to duplicate. We don't want to reproduce \ncapabilities that DHS already has. We very much want to \nleverage their capabilities out to, like, the cyber hygiene \nprogram, which is a very scalable and valuable thing for the \nentire sector, and we want to work with DHS to figure out the \nactual escalation, communication and integration of these \ncapabilities both on the emergency management side, because \nthat's another aspect of DHS that's, again, well established \nand the cybersecurity side through NCCIC and US-CERT.\n    Ms. Walters. OK. A second question I have is a concern that \nwe've heard raised with regards to the HCCIC is that \ninformation shared with the center might not receive viability \nprotections provided under the Cyber Information Sharing Act of \n2015.\n    Has HHS determined whether or not information shared with \nHCCIC will receive CISA liability protection?\n    Mr. Scanlon. Our lawyers have reviewed that and we had \nongoing work during the WannaCry to clear that up because that \nis a widespread believe it is not correct. There are very, very \nstrong protections and PCII, HIPAA, and the CISA that encourage \nthe sharing of indicators and defensive measures and identify \nwhat information should not be shared--PII, PHI, attributable \ninformation. And from our standpoint, we need nothing of that \ntype nor do we even need to know entity information in order to \ncarry out the evaluation in analytic work that we do.\n    So as I mentioned, we are working with our legal teams and \nreview organizations to develop plain language descriptions of \nhow those protections work and what they would provide to the \nsector so that we can have that available for people to \nunderstand and be clear about it.\n    Ms. Walters. OK. Thank you. I'm out of time.\n    Mr. Murphy. I think that concludes all of our questions for \nthis panel.\n    I do want to say this. I want to commend you all for the \nwork you did on dealing with the WannaCry threat that occurred. \nGranted, it was not as mature or developed as it could have \nbeen but it was perhaps a good test run of some of your work. \nSo thank you for that, and it was helpful to hear the lessons \nlearned from this as you moved forward on this.\n    I want to thank all of you for being here participating in \ntoday's hearing. I remind members they have 10 business days to \nsubmit questions for the record.\n    I would ask that all the witnesses please agree to respond \npromptly to those questions.\n    And with that, this committee remains adjourned.\n    [Whereupon, at 11:53 a.m., the committee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    \n    \n   \n    \n\n                                 <all>\n</pre></body></html>\n"