White House Plans to Issue New Cybersecurity Standards for the Healthcare Industry

By | October 20, 2022

The U.S. government is taking steps to improve critical infrastructure cybersecurity, with healthcare, water, and the communications sectors the next focus areas for the White House. The White House is planning to issue new guidance and cybersecurity standards for these industries to improve resilience against malicious cyber actors, whose attacks are increasing in both frequency and sophistication.

Anne Neuberger, deputy national security advisor for cyber and emerging technology, outlined some of the key areas of focus for the White House in a recent Washington Post Live event. These steps are in line with the Biden administration’s May 2021 executive order (EO 14028) that sought to improve cybersecurity for critical infrastructure and federal information systems through public-private partnerships. A great deal of the critical infrastructure in the United States is controlled by private companies, and while there are regulations that require minimum security standards to be implemented in certain sectors, more needs to be done to ensure that standards apply to all critical infrastructure and they improving resilience.

Neuberger explained that the cybersecurity of critical infrastructure in the United States lags behind other Western countries, stating the U.S. is “pretty much last in the race” when it comes to ensuring minimum cybersecurity standards are set for critical infrastructure organizations. Neuberger said one advantage of this is the U.S. will be able to learn from its many peers.

Cyberattacks on critical infrastructure have been increasing, especially ransomware attacks, many of which have hit the healthcare sector. Those attacks often have a major impact on the ability of healthcare organizations to operate. One recent Trend Micro survey indicates 25% of healthcare organizations were forced to completely halt operations following a ransomware attack, with 60% saying the attacks caused some disruption to business processes. Those attacks naturally have an impact on public safety, with some studies (Proofpoint, Censinet, Health Services Research) suggesting patient mortality increases following ransomware or other major cyberattacks.

Other major ransomware attacks on critical infrastructure include the attack on Colonial Pipeline, which disrupted fuel supplies to the Eastern Seaboard, and the attack on JBS, which disrupted food processing. Those attacks demonstrated a lack of preparedness and were a major wake-up call, clearly demonstrating cybersecurity needs to be significantly improved for all critical infrastructure and for standards to be implemented to lessen the impact of attacks should they succeed.

The bipartisan Securing Systemically Important Critical Infrastructure (SICI) Act will play a key part in the process of improving cybersecurity for all critical infrastructure. The legislation seeks to establish a transparent, stakeholder-driven process to designate systemically important critical infrastructure (SICI). The legislation requires the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to establish a methodology and criteria for determining what critical infrastructure qualifies as SICI, to prioritize meaningful benefits to SICI owners and operators without any additional burden, and calls for CISA to provide SICI owners and operators with the option to take part in prioritized cybersecurity services. Currently, the government is not fully aware of exactly what SICI is and where security needs to be improved.

President Biden has also signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into law, which requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments. Reporting will allow CISA to rapidly deploy resources and render assistance to victims suffering from attacks. It will also allow the agency to rapidly identify cyber threat trends, and quickly share relevant, actionable information with network defenders to warn other potential victims.

Healthcare is one of the main focus areas for the White House, and efforts to improve cybersecurity across the sector are underway. Neuberger confirmed that the Department of Health and Human Services has been working with partners at hospitals and has been developing minimum cybersecurity guidelines and will be working on developing new standards and guidance for securing medical devices and other broader areas of healthcare in the near future.

The post White House Plans to Issue New Cybersecurity Standards for the Healthcare Industry appeared first on HIPAA Journal.