2018 Safety, Security and International Affairs

Stephen C. Curren and the Cyber Incident Response Team

Defended health care computer systems in the U.S. from a global cyberattack that threatened patients’ health and safety

In the spring of 2017, a new type of computer malware known as WannaCry spread across the globe attacking hundreds of thousands of digital devices in a matter of hours, preventing access to information until victims paid a ransom.

Targets included hundreds of hospitals and other health care providers in the United Kingdom that were forced to drastically reduce surgeries, cancer treatments and other services because the ransomware made patients’ records inaccessible. Fearing the U.S. might face a similar fate, Stephen Curren and colleagues from the Department of Health and Human Services coordinated a national response to help protect public and private health care computers systems from the worst effects of WannaCry.

“Stephen focused on ensuring the protection of HHS systems and on communication with private-sector health care organizations to assist them in protecting their computer systems,” said Jessica Fantinato, deputy director of the Office of Emergency Management at HHS. “That minimized the impact of the virus,” she said.

“The fact that we were able to stem the tide of this computer virus was lifesaving,” Fantinato added

The cyberattack could have incapacitated health care facilities across the country “because everything in a hospital, like any other business now, is networked,” said Curren, who is director of the Resilience Division in the Office of the Assistant Secretary for Preparedness and Response. “And when you lose that network, you lose the ability to care for patients.”

Curren’s group has traditionally focused on medical and public health needs during physical disasters like hurricanes and tornados. But he also led HHS in convening a task force in 2016 at the direction of Congress to address the growing number of cyberattacks on the health care industry.

When Curren and his colleagues learned what happened in the United Kingdom, they immediately briefed department leadership that WannaCry posed a significant threat to the U.S. health care system. Following their advice, an emergency management group was convened to coordinate the response. As the group lead, Curren took existing processes for dealing with physical disasters and adapted them to a cyberattack response.

“It’s easy to look at a hurricane and see what the impact is, but with something like this cyberattack, it was really difficult to see where it would hit and what the damage could be,” said Sam Imbriale, team lead with the department’s mission coordination branch.

“Because of Stephen’s involvement, we were able to make sure the U.S. health care system was hardened to this potential threat. And HHS’s networks were certainly secured very quickly,” Imbriale said.

Fortunately, Curren and his team had strong relationships with health care providers, trusting them as credible sources of information who could sound the alarm. “We provided the tools that organizations could use to best protect themselves from that threat,” Curren said.

To expand its outreach, the team set up a daily teleconference for health care providers to receive updates and learn how to safeguard their facilities. At its peak, there were 3,500 people on the daily teleconference, many of whom later signed up to receive regular emails with information about other threats, said Laura Wolf, chief of the HHS Critical Infrastructure Protection Branch. “That was important because another cyberattack occurred a month later,” she said.

Cyberattacks remain a growing problem in the U.S. and require heightened vigilance. Since 2014, the top dozen major breaches of health care organizations alone have affected more than 120 million patient records, and hospitals have been hit with recurring ransomware attacks.

With the lessons learned from the WannaCry attack, Curren and his team have been working to improve collaboration on cybersecurity with private health care organizations and the public.

He also has developed HHS-specific cybersecurity protocols to determine threat levels and corresponding responses, said Nickol Todd, deputy director of the department’s resilience division. “It’s important for the health care sector to be able to recognize when a cyber threat is a high risk for health care even if it’s not having as big an impact on other industries,” she said.

While threats remain, Curren’s determination to protect health care systems has made patients safer.

“Stephen has made sure that if a major cyberattack happens again, it will be just like flicking a switch,” Imbriale said. “We can go from our typical response to a hurricane to responding to a cyber event.”