Frequently asked questions
The Health Sector Cybersecurity Coordination Center (HC3) serves as a U.S. Department of Health and Human Services' focal point for cybersecurity collaboration with the Healthcare and Public Health (HPH) sector, ensuring cybersecurity risks are actively identified and communicated.
In accordance with the Cybersecurity Act of 2015 and in its role as the designated Sector-Specific Agency, as identified in Presidential Policy Directive (PPD)-21, HHS created HC3 to ensure cybersecurity information sharing is coordinated with the HPH sector, including within HHS and with government partners, to aid in the protection of vital healthcare-related controlled information and privacy.
HC3 develops knowledge-based cybersecurity products intended to raise overall sector awareness by conducting research and technical analysis on cyber threats, and developing mitigation techniques. HC3 ensures cybersecurity information sharing is coordinated with the HPH sector, including within HHS and with government partners.
HC3 provides knowledge-based products, and communications to organizations within the HPH sector regardless of size, capabilities, and available resources. Also, HC3 has established a bi-monthly briefing forum to deliver briefings providing cyber threat information to technical and non-technical professionals within the sector.
HC3 collaborates with public/privates sector entities via various communication platforms which consists of stakeholders of different sizes and functions (varying from direct patient care, device manufacturing, to electronic health record systems). Sector entities can submit questions, and share information by contacting the email inbox at HC3@hhs.gov. Additionally, the HC3 conducts interactive meetings to learn about external organizations, challenges facing the sector, and receiving feedback on our products.
HC3 strengthens coordination of cybersecurity information sharing across the HPH sector, which consists of stakeholders of various sizes and functions, varying from direct patient care to device manufacturing to electronic health record systems. HC3 is dedicated to cultivating cybersecurity resilience regardless of an organization's technical capacity, but recognizes the special focus that small to medium sized organizations require due to their lack of dedicated cybersecurity capabilities.
HC3 believes in fulfilling its mission through close collaboration and partnerships with other organizations. HC3 coordinates with the Department of Homeland Security (DHS) National Cybersecurity and Cybersecurity and Infrastructure Security Agency (CISA) and the Assistant Secretary for Preparedness and Response (ASPR) to engage and provide services to the HPH sector. ASPR is a key partner for HC3 information dissemination and provides access to customers through the Government Coordinating Council and Sector Coordinating Council
What is the difference between the U.S. Food and Drug Administration's (FDA) cybersecurity efforts and HC3's cybersecurity efforts?
The FDA's Center of Excellence on Digital Health is focusing on the cybersecurity issues surrounding medical devices, whereas HC3 has a broader mission in looking at the whole health sector. HC3 will continue its collaboration with FDA as an integrated team to ensure the best possible protection for the public. FDA has extensive expertise and authority on all aspects of medical devices from design, deployment, oversight, and regulation. FDA's is working to provide cybersecurity market guidance to manufactures to improve the security of medical devices.
The Computer Security Incident Response Center (CSIRC) is HHS' internal center for dealing with security issues, the HC3 is an externally facing entity that is focused on the HPH sector. The HC3 does leverage information gathered by the CSIRC to inform the HPH sector and shares information to the CSIRC that we have gathered from industry.
The 405d effort at HHS was convened to support the CSA 405(d) Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use to enhance cybersecurity. The task group released the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients in December 2018 and are working to make updates to that report. The HC3 looks at immediate and ongoing threats to the sector and provides directed guidance on how to prevent, mitigate, and resolve issues, in addition to providing notifications to sector entities on immediate threats to their particular institutions.
ASPR has responsibilities across all hazards to the HPH sector, and does not always maintain the expertise in house. For instance, in the case of a Flu pandemic, ASPR conducts emergency management roles relying on the Public Health Service Corp, which is made up of practicing medical professionals, for deployment and provisioning of care. Similarly, the best place to find cybersecurity experts is on teams doing cybersecurity. The OCIO has these capabilities in the HC3; HC3's mission is to focus on maintaining cyber analysis capabilities to support HPH sector stakeholders and fostering the development of proactive HPH sector cyber defense strategies. This is the intersection of where ASPR and HC3 come together and where our collaboration lives. ASPR also works regularly with other HHS divisions, DHS, and other government partners.