HHS unit works to curb cyberattacks

By Eric Geller, Ben Leonard and Ruth Reader

HHS' Health Sector Cybersecurity Coordination Center offers resources to help prevent data breaches in the health care industry. | Damian Dovarganes, File/AP Photo | AP Photo

A NOT-SO-SECRET WEAPON AGAINST HACKERS — As health care companies face a brutal one-two punch of pandemic chaos and ransomware attacks, a small unit inside HHS is helping them fight back.

The department’s Health Sector Cybersecurity Coordination Center is a one-stop shop for information about hackers’ activities and ways to avoid being hacked. It distributes threat advisories, vulnerability announcements and other warnings to give executives and IT employees at health care firms a sense of how to spend their limited time and resources. HC3, as it’s known, has spent almost four years building up its capacity, and HHS’ partners in the industry say the center’s help has never been more critical.

Cyberattacks against the health care sector have ballooned in recent years as poorly secured medical technology proliferates, pandemic disruptions strain workforces and ransomware gangs see opportunities to profit by extorting companies that can’t afford any downtime. More than a third of health care organizations reported experiencing ransomware attacks during the pandemic’s first year, and data breaches at health care firms hit an all-time high in 2021, according to the cyber firm Critical Insights. Health-technology vendors have been a prime target — a breach at prescription benefits technology vendor CaptureRx exposed the data of 17 hospitals and other customers and a ransomware attack on the health care system Scripps Health knocked multiple patient-care systems offline.

“We’re literally under siege,” said Mari Savickis, vice president for public policy at the College of Healthcare Information Management Executives, which represents health care IT leaders. “It is relentless.”

Health care cyber experts say HC3 has been an excellent partner. “It is a national asset,” Savickis said. “They really produce amazing material, and they've been doing it for years on a shoestring [budget].”

John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk, said HC3 excels at presenting information about cyber threats “through the lens of the health care sector” and highlighting how it’s relevant to those companies. The center’s guidance includes high-level overviews designed to grab the attention of board members, who can then pass it on to their companies’ cyber experts with instructions to act on its more technical recommendations. The American Hospital Association frequently shares HC3’s reports on its website , and Riggi said he regularly speaks with the center’s leader, Rahul Gaitonde.

HC3’s advice and recommendations are especially critical for small health care providers, which often lack dedicated cyber teams. Cyber experts say that in any highly interconnected industry, those small firms represent weak links that hackers can use as springboards for breaching larger targets. By disproportionately straining small health care firms, the pandemic has exacerbated those risks for the industry.

DHS’ Cybersecurity and Infrastructure Security Agency already provides cyber guidance and services to all manner of critical infrastructure operators, including hospitals and medical device makers. HC3 was created as the rebranding of a predecessor unit inside HHS that earned some criticism for potentially duplicating those efforts. The department relaunched and renamed the organization in 2018, the same year Congress created CISA and began building it up as the government’s central resource for cyber aid to the private sector.

But it’s fitting that HHS runs its own cyber center, cyber experts said. “We have our own needs over here,” said Savickis, and HHS has a unique understanding of patient safety issues. Given the industry’s acute impact on public safety, Riggi added, it makes sense for the government to offer “extra resources to defend health care.”

Still, these cyber professionals have concerns about how HC3 is funded and how its guidance is written. Riggi said the center should do more to “leverage the expertise of practitioners in the health care field” so its advice about implementing certain technologies better reflects the challenges of doing so. HC3 could also use more input from clinicians and health care professionals about the unique dangers that cyber threats pose to the sector.

Meanwhile, Savickis wants Congress to boost HC3’s profile inside HHS by giving it a dedicated and increased budget. It currently draws money from the budget account for the department’s chief information officer, where it’s administratively housed. (HHS didn’t answer questions from POLITICO.)

HC3 “is still young and maturing,” Riggi said, “and they have a long journey ahead.”

Welcome back to Future Pulse, where we explore the convergence of health care and technology. Share your news, tips and feedback with Ben at bleonard@politico.com or @_BenLeonard_ and Ruth at rreader@politico.com or @RuthReader. 

INTRODUCING DIGITAL FUTURE DAILY - OUR TECHNOLOGY NEWSLETTER, RE-IMAGINED:  Technology is always evolving, and our new tech-obsessed newsletter is too! Digital Future Daily unlocks the most important stories determining the future of technology, from Washington to Silicon Valley and innovation power centers around the world. Readers get an in-depth look at how the next wave of tech will reshape civic and political life, including activism, fundraising, lobbying and legislating. Go inside the minds of the biggest tech players, policymakers and regulators to learn how their decisions affect our lives. Don't miss out, subscribe today.

Zeke Emanuel @ZekeEmanuel: “Our health care workers are burning out at alarming rates. A few things [HHS] can do – fund programs to support mental health, increase facility security to protect from physical harm, approve digital health solutions to cut down on admin work.”

In a new study, AI deep learning models could identify a person's race using a chest-area X-ray or scan. | Getty Images

AI DETECTS RACE — A team of international researchers found that artificial intelligence could predict a person’s race from chest-area medical images like X-rays and CT scans with striking accuracy. And they don’t know why it’s so accurate.

The AI deep learning models, which use layers of algorithms to recognize nuanced patterns in data, were higher than 90 percent accurate — levels of performance that remained even when accounting for potential confounding variables. Those rates are far better than that of radiologists, who were about 50 percent accurate in identifying race from images, lead author Judy Wawira Gichoya, an assistant professor of the department of radiology at Emory Medical School in Georgia, told Future Pulse.

“These images have something hidden in them that is not perceptible [to the human eye],” Gichoya said. “Unfortunately, we haven’t figured out the why.”

When researchers altered the images by blurring and adding noise to them, she said, the models’ accuracy dipped yet still remained high.

The researchers wrote in Lancet Digital Health that since experts can’t pick up race like the AI can, it’s difficult to provide oversight over the technology.

“This issue creates an enormous risk for all model deployments in medical imaging: if an AI model relies on its ability to detect racial identity to make medical decisions, but in doing so produced race-specific errors, clinical radiologists (who do not typically have access to racial demographic information) would not be able to tell, thereby possibly leading to errors in health-care decision processes,” the researchers wrote.

Algorithms have been found to be racially biased in health care, with significant consequences. For example, a 2019 study in Science found a common hospital algorithm less frequently referred Black people than white people to programs bolstering care despite the same level of sickness.

TELEHEALTH DISCUSSION DRAFT — The top two lawmakers on the Senate finance committee unveiled a proposal to permanently remove the requirement that Medicare patients see mental health care providers in person before undergoing telehealth visits.

The requirement isn’t currently in effect because of the Covid-19 public health emergency.

The proposal from Chair Ron Wyden (D-Ore.), ranking member Mike Crapo (R-Idaho) and others would remove the requirement if the provider could give care in person “within a reasonable period of time” or has an arrangement to refer the patient to another provider who could do so.

The caveats in the proposal prevent a full-throated repeal of in-person requirements that many telehealth industry advocates have lobbied for, arguing that a less restricted repeal would expand access.

“The draft signals a few guardrails that we could see duplicated in future efforts around multispeciality telehealth expansion, including providers effectively attesting that the care is not being delivered in a silo without any local supports or documentation,” said Cybil Roehrenbeck, a partner at Hogan Lovells' health care lobbying practice.

The measure would also create a “bill of rights” for telemental health aimed at spreading awareness of telehealth access. The bill is part of a larger mental health package that Wyden hopes to mark up in the summer.

STEP INSIDE THE WEST WING: What's really happening in West Wing offices? Find out who's up, who's down, and who really has the president’s ear in our West Wing Playbook newsletter, the insider's guide to the Biden White House and Cabinet. For buzzy nuggets and details that you won't find anywhere else, subscribe today.

CVS DIVES INTO VIRTUAL-FIRST — CVS Health is launching a single online platform for its virtual-first primary care program that lets patients choose between virtual or in-person care.

The new platform is another move in virtual primary care for CVS via Aetna and CVS Caremark. Many of the nation’s largest insurers, including United Healthcare, Centene, CVS Health and Cigna, have moved to offer plans that direct patients to virtual visits before getting in-person care.

Insurers say the plans can produce savings, better outcomes and expanded access for underserved people.

“Walmart, CVS to stop filling controlled-substance prescriptions for Cerebral, Done” — Rolfe Winkler and Sarah Nassauer, The Wall Street Journal

“ChristianaCare rolls out 'cobots' to help nurses with nonclinical tasks” — Mike Miliard, Healthcare IT News

“Remote learning apps shared children’s data at a ‘dizzying scale’” — Drew Harwell, The Washington Post

Follow us

To change your alert settings, please log in at https://www.politico.com/_login?base=https%3A%2F%2Fwww.politico.com/settings

This email was sent to by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Please click here and follow the steps to .