Critical Infrastructure Security, Vulnerability Management, Endpoint/Device Security

How Biden’s cyber strategy will impact low-resourced sectors like healthcare

Presidential seal

The Biden administration’s cyber strategy, which focuses on shifting the responsibility from users to manufacturers, has been lauded as an important step forward. Any effort that embraces collaboration and works to better the current state of policy and tech gaps should indeed be viewed as a positive.

As the federal law takes shape, questions remain as to how entities struggling to meet basic security standards will stack up to the new rules. For healthcare entities, new guidance from the Department of Health and Human Services may help with the shift into NIST, at a minimum.

“Overall strong, [the strategy] is a comprehensive position with well-informed approaches, ideas, tactics and recommendations,” Carter Groome, First Health Advisory CEO told SC Media. “This will hopefully put more pressure on Congress to act, as national security, public trust, and patient safety should not be a partisan issue.”

Combined with the HHS/HSCC framework, it’s “a path to greater harmonization of standards across all sectors, supporting the recently published national cyber strategy,” he added. “I’m optimistic this flurry of activity will lead to statutory support and incentives to improve our sector cyber posture.”

However, rebalancing responsibility from manufacturers to users “is a tricky area” in healthcare. Indeed, the very proposal of shifting the onus of medical device security from over-burdened providers to manufacturers by SC Media in August 2022 was met with a lot of pushback.

Groome also noted that liability will go up for both device manufacturers and security platform vendors, with this type of shift, as well.

On the other hand, the expanded use of minimum cybersecurity requirements is something the healthcare sector, in particular, has been working toward for more than a decade. Its inclusion is an overwhelming positive.

But it will “be a tough pill to swallow in healthcare,” explained Groome.

What’s needed in healthcare, and likely in other low-resourced industries, are incentives to make these seismic shifts and limit the burden on entities already struggling to meet the bare minimum. Together, it would make a difference in the battle we are fighting, he added.

It’s not unwillingness holding back security in low-resourced sectors

Stakeholders from lower-resourced industries like education and healthcare have long warned that constrained budgets, staffing constraints, and knowledge gaps have limited the ability of IT and security leaders to implement necessary changes that would reduce the attack surface and bolster critical infrastructure.

Verizon’s annual Data Breach Investigative Report consistently names these sectors, as well as manufacturing and government, as facing the largest incidents. These industries often don’t have the financial backing to replace dated tech, for example. Schools and rural hospitals commonly leverage out of date devices and security models, often due to budget constraints.

April Mardock, Seattle Public Schools CISO, previously spoke with SC Media on the challenges facing the education sector and nonprofits: These entities “really don't have the skillset to do what needs to be done here.”

“They don't have the skill sets to properly configure their firewalls, defend against phishing, or to set up the machines for reliable updates. And it’s just a few basics,” said Mardock. Guidance is “the part sometimes missing in this space: we forget about the strategic adoption, the process of making sure that you involve the stakeholders before you do something.”

Some of these strategy’s proposals would combat several of these issues, including the workforce proposal that would build out a diverse and robust cyber workforce.

HHS and HSCC issue guide to shift from HIPAA to NIST

Health Sector Coordinating Council and HHS issued guidance on March 8 that will support the shift from the minimum security basics outlined in The Health Insurance Portability and Accountability Act to NIST Cybersecurity Framework (CSF). 

The move comes on the heels of the cyber strategy proposals, and after many years, calls for making NIST the standard for all covered entities. Some stakeholder groups have repeatedly asked Congress to update HIPAA to reflect the current digital landscape. The new guidance should be viewed as a massive step in the right direction.

The framework implementation guide gives security leaders step-by-step measures organization can take to “immediately” manage cyber risks facing their IT system in hopes of reducing the number of incidents plaguing the sector.

As seen in the spate of ongoing hospital outages and DDoS attacks against healthcare entities, bolstering cyber health across the sector should be viewed as mission critical.

The guide supplements an earlier publication of the HHS/HSCC 405(d) Program health industry cybersecurity practices, explained HSCC Cybersecurity Working Group Chair and Intermountain Healthcare CISO Erik Decker. Both the new framework and previous guidance align with NIST.

“With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients, and make the sector more resilient,” Decker said in a statement.

For Groome, the framework is a “long-awaited step to build upon the NIST CSF standard and position through the lens of unique health sector needs.” 

“HSCC and HHS are giving every bit of impetus and attention cyber health advocates have desired in building a more resilient sector ecosystem,” said Groome. “As part of a systemically important critical infrastructure sector, health and public health entities need all the support and guidance they can get their hands on.”

The new framework should be viewed as a roadmap to implement NIST. Entities should review the insights that provide risk management principles and best practices, common language to address cybersecurity risk, and outlines a structure for applying cybersecurity risk management.

“This collaborative approach is very timely, following on the heels of the White House National Cybersecurity Strategy that articulates a combined and coordinated approach between the government and private sector to help defend critical infrastructure from cyberthreats," said said John Riggi, AHA’s national advisor for cybersecurity and risk, in a statement.

"Adherence to the framework might be used to demonstrate implementation of recognized cybersecurity practices to qualify for regulatory relief for cyberattack victims provided under Public Law 116-321," he concluded.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.