What is the Health Sector Cybersecurity Coordination Center?
Cybersecurity threats in the health sector include vulnerabilities due to legacy systems, privacy protection, IT interoperability issues, and security breaches, to name a few. A source of cybersecurity guidance and information is the U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3). HC3 is an agency established in response to the Cybersecurity Information Sharing Act of 2015 in order to act as the coordinator of cybersecurity information sharing across the healthcare and public health sector to affirm the protection of vital healthcare information and aid the sector in mitigating cyberattacks. HC3’s mission is, “To support the defense of healthcare and public health sector’s information technology infrastructure, by strengthening coordination and information sharing within the sector and by cultivating cybersecurity resilience, regardless of organizations’ technical capacity.”1 HC3 ensures cybersecurity risks are actively identified and communicated with a centralized systematic operation of:
- Vigilance and awareness
In order to do that, HC3 provides a number of resources including:
Threat briefs. HC3 maintains up to date briefs that highlight relevant cybersecurity topics and raise the HPH sector’s situational awareness of current cyber threats, threat actors, best practices, and mitigation tactics.
Sector alerts. HC3 provides high-level, situational background information and context for technical and executive audiences. These alerts are designed to assist the sector with defense of large scale and high-level vulnerabilities.
Analyst notes and white papers. HC3 products include quick information analyst notes and in-depth white papers, which increase comprehensive cybersecurity situational awareness and provide recommendations to a wide audience.
Victim notification. HC3 Cyber Engagement works with many partners, including several thousand Healthcare and Public Health (HPH) entities, law enforcement entities, and preparedness and security vendors to help to elevate cybersecurity posture of the HPH Critical Infrastructure Sector. Some of this work involves directly and indirectly sharing vulnerability and victim feeds and analysis. Victim notifications are directed communications to victims or potential victims of breaches, vulnerable equipment, or personal identifiable information (PII)/protected health information (PHI) theft. These notifications cover victimized HPH entities where a threat actor has obtained access to the infrastructure of an HPH entity, has stolen and posted for sale sensitive PHI/PII, or is conducting a business email compromise and is posing as a representative the HPH entity. These notifications cover vulnerable HPH entities who inadvertently shares PHI/PII in an open format or are susceptible to known vulnerabilities or have exposed systems.
1 HHS.gov, 2022, “HC3 About Us”