Getty Images/iStockphoto

White House Sets Sights on New Healthcare Cybersecurity Standards

Anne Neuberger said that the creation of additional healthcare cybersecurity standards and guidance would be an upcoming area of focus for the White House.

New healthcare cybersecurity standards and guidance from the White House are on the horizon, Anne Neuberger, deputy national security advisor for cyber and emerging technology in the Biden Administration, said at a recent Washington Post event.

Specifically, Neuberger pointed to the healthcare, water, and communications sectors as the next three cybersecurity focus areas for the White House, furthering the administration’s emphasis on critical infrastructure security.

The US is “pretty much last in the race” when it comes to putting in place minimum security standards for critical infrastructure compared to peer countries, Neuberger explained.  

At the very least, this puts the US in a good position to learn from other countries and establish minimum cyber regulatory frameworks for critical infrastructure.

HHS is “beginning to work with partners at hospitals to put in place minimum cybersecurity guidelines,” Neuberger explained. Further work is being done to secure “devices and broader healthcare” as well.

These actions align with the administration’s executive order (EO 14028) from May 2021, which focused on improving the nation’s cybersecurity through public-private partnerships and an emphasis on improving security within federal information systems.

Industry Analysis

For healthcare, further federal security guidance could help the sector manage risk amid an increasingly complex and active cyber threat landscape. In 2021, the healthcare sector fell victim to ransomware more than any other critical infrastructure sector, the Federal Bureau of Investigation found.

“We unfortunately continue to see ransomware attacks against hospitals, which could be helped if hospitals had a baseline to establish, maintain, and measure their cyber security hygiene and level of preparedness,” Stacy O’Mara, senior director of government affairs at Mandiant, told HealthITSecurity.

O’Mara also acknowledged that the healthcare sector is already a highly regulated industry with a variety of security and privacy compliance requirements. HIPAA, HITECH, the Federal Trade Commission Act, and other regulations and frameworks all serve to protect health data and safeguard healthcare cybersecurity.

In addition, the recently enacted Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will require the healthcare sector to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA), O’Mara noted.

A streamlined approach could help to ease the burden on individual entities.

“While all of these existing regulations are helpful to the healthcare sector – and should evolve to account for evolving threats to patients’ medical records, medical devices, and hospitals’ networks and systems – the federal government needs to continue its efforts to harmonize and streamline regulatory requirements,” O’Mara suggested.

Emphasis On Public-Private Partnerships

A major focus of EO 14028 was on establishing public-private partnerships to improve communication and coordination between federal entities and private sector businesses.

The private sector owns and operates much of US critical infrastructure, Neuberger noted during the event. As a result, collaborating on threat sharing and establishing standards is crucial to mutual success.

The benefits of purposeful, goal-oriented public-private partnerships was proven in part by the events following the Colonial Pipeline cyberattack, which disrupted miles of the US fuel supply chain in May 2021.

Following the attack, Neuberger explained during the Washington Post event, the Transportation Security Administrator (TSA) issued a security directive for oil and gas pipelines, and officials held classified threat briefings for private sector executives. The meetings resulted in updated TSA security guidelines that could also be used as a model for other sectors.

To O’Mara, the idea of public-private partnerships is “more than just a catchphrase.”

“No single entity – including the federal government – has the full picture of the threat landscape or a complete understanding of the first, secondary, tertiary, etc. effects of a new statute or regulation when it comes to cybersecurity,” O’Mara reasoned.

All relevant stakeholders, from critical infrastructure operators, state and local governments, law enforcement agencies, and civil and privacy rights groups “have insight that’s relevant to the rulemaking process.”

“While having so many players could create an arduous process for getting this right, these stakeholders need to be included in the discussions,” O’Mara continued. “It will never be perfect, but representation here is important.”

O’Mara said she was “pleased” to see an ongoing focus on improving critical infrastructure security while acknowledging that there is a long road ahead.

“The federal government continues to get its house in order with respect to cyber security and now we’re seeing an emphasis on the rest of the country. This is difficult to do – striking a balance between requiring these entities to take on more while also ensuring they’re contributing to the nation’s national security by adhering to minimum standards to keep all of us ‘cyber safe,’” O’Mara noted.

“The whole-of-community approach is incredibly important to do this right.”

Next Steps

Dig Deeper on Cybersecurity strategies