The Cybersecurity and Infrastructure Security Agency is taking new actions and making long-term investments to ensure cross-sector collaboration and drive security at scale, officials say.
WHY IT MATTERS
With its new FY 2024-2026 strategic plan released Aug. 4, the national cybersecurity group aims to address immediate cybersecurity threats and harden systems against attack.
The agency says cyber incidents have caused too much harm to too many American organizations and is calling for investment in cybersecurity collaboration to make the nation’s networks “a challenging and expensive target for cyber adversaries.”
CISA outlined a number of actions, including increasing the number of organizations it provides with resources to deliver cybersecurity training, securing the adoption of cloud computing resources, contributing to the ongoing development of a national cyber workforce and encouraging the adoption of its Cybersecurity Performance Goals (CPGs).
“We know we cannot achieve lasting security without close, persistent collaboration among government, industry, security researchers, the international community and others,” CISA said.
“Even as we are accountable for national cybersecurity, we must align accountability across the ecosystem, such that cybersecurity is considered a foundational business risk at every organization.”
The CPGs – designed to help critical infrastructure like the healthcare sector and other entities make risk management decisions that achieve high-priority security outcomes and consider the aggregate risk to the nation – are to be enhanced long-term “by incentivizing products less vulnerable to cyberattacks,” the agency said.
“Even as we confront the challenge of unsafe technology products, we must ensure that the future is more secure than the present – including by looking ahead to reduce the risks and fully leverage the benefits posed by artificial intelligence and the advance of quantum-relevant computing.”
Last month, the Biden-Harris administration announced the U.S. Cyber Trust Mark, a cybersecurity labeling program for consumer-grade smart devices. While the statement did not specifically address medical devices, healthcare IT, firmware or hospitals, it did elaborate on requirements the healthcare sector would benefit from under such a program:
“The program would leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the National Institute of Standards and Technology that, for example, requires unique and strong default passwords, data protection, software updates and incident detection capabilities,” the administration said in the statement.
In its updated strategic plan, CISA said its Joint Cyber Defense Collaborative and “expanding regional teams” will bring together the government, private sector and international partners to measurably reduce cyber risk.
“We will invest in persistent collaboration defined by reciprocal expectations of transparency and value and minimizing friction to enable scale and data-driven analysis,” the agency pledged.
“We will develop, exercise and execute cyber defense plans that enable effective responses to urgent threats while retaining focus on longer-term risks that require sustained investment.”
The agency also said it will measure its visibility into vulnerabilities across critical infrastructure and government networks and will increase trust and collaboration with the research community and the private sector by expanding participation in “coordinated vulnerability disclosure” efforts.
CISA’s persistent collaboration model under the National Cyber Incident Response Plan must increase the number of participating organizations “and the operational value derived by each participant,” and the number of cyber defense plans for high-priority risks identified by public and private stakeholders, the agency said.
THE LARGER TREND
Since Biden’s National Cybersecurity Strategy calls for market forces and mandates, organizations like the American Hospital Association and HITRUST want to help make security incentives for software companies feasible.
While the strategy, proposed in March, “acknowledges that private sector efforts alone are insufficient to counter the significant cyber threats we face as a nation,” John Riggi, AHA’s national advisor for cybersecurity and risk, said in a statement then, it is unclear on how software security requirements would affect healthcare IT providers.
Legislation introduced last September would direct CISA to collaborate with Health and Human Services to specifically protect healthcare data from cyberattacks, but the bill, S.3904 introduced by Sen. Jacky Rosen, D-Nev., has been sitting with the Committee on Homeland Security and Governmental Affairs since October.
According to that committee’s report, “S. 3904 ensures that CISA and HHS coordinate to provide appropriate resources to healthcare and public health sector entities to prevent, detect and respond to cyber incidents.
“This includes developing products for sector entities, information sharing and providing cybersecurity training to sector asset owners and operators. Additionally, the bill requires that HHS update the Healthcare and Public Health Sector-Specific Plan, last updated in 2015, within one year of enactment.”
The committee said it agreed with the Congressional Budget Office that the bill “contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would impose no costs on state, local, or tribal governments.”
Rep. Jason Crow, D-Colo., also introduced the companion version H.R.8806 in September without further activity to date. That month, Crow’s office told Healthcare IT News that Rosen would take the lead on funding for the proposal in the FY23 National Defense Authorization Act.
However, the summary of the final NDAA on the House Armed Services Committee’s website makes no mention of funding for CISA or HHS in the areas of cybersecurity and healthcare data protection.
ON THE RECORD
“We must quickly detect adversaries, incidents and vulnerabilities, and enable timely mitigation before harm occurs,” CISA said. “We must help organizations, particularly those that are ‘target rich, resource poor” take the fewest possible steps to drive the most security impact.
“This is a shared journey and a shared challenge.”
Next month, the HIMSS 2023 Healthcare Cybersecurity Forum will explore how the industry is fortifying its defenses today and preparing strategies for the future. It’s scheduled for Sept. 7 and 8 in Boston. Learn more and register at HIMSS.org/event-healthcare-cybersecurity-forum.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
