Getty Images

How The New National Cybersecurity Strategy Will Impact Healthcare Cybersecurity

The Biden Administration issued its National Cybersecurity Strategy aimed at securing critical infrastructure, disrupting cyber threat operations, and investing in a more secure digital ecosystem.

The Biden administration issued its much-anticipated National Cybersecurity Strategy aimed at shifting cyber defense responsibilities, improving cyber resilience, and disrupting cyber threat operations.

The document is divided into five pillars, representing key focus areas: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.

Each pillar has significant implications for critical infrastructure entities, including those in the healthcare sector. Namely, the National Cybersecurity Strategy highlights the need to further prioritize Internet of Things (IoT) device security and to transfer some cyber responsibilities away from software users and onto vendors.

“We must make fundamental changes to the underlying dynamics of the digital ecosystem, shifting the advantage to its defenders and perpetually frustrating the forces that would threaten it,” the document states.

“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”

If these policies are enshrined into law, they could impact how healthcare organizations and their business associates tackle today’s most complex cybersecurity challenges, and what kind of support they may receive from Federal entities.

Key Healthcare Sector Impacts

“The announcement today that the US federal government will be taking a bigger role in the defense of US critical infrastructure is very welcome. It’s something that I and many others have been pushing for over the course of the past 5 or 10 years,” said Richard Staynings, chief security strategist at Cylera.

“While the National Cybersecurity Strategy outlines the expansion of the federal government’s public-privacy collaboration to defend against attacks, it also strengthens the government’s offensive role in disrupting cyber threat actors, something that it has slowly been ramping up over the past two years.”

In addition to reaffirming the US government’s commitment to taking down cyber threat actors by increasing the speed of intelligence sharing and enhancing public-private sector collaboration, the Strategy also emphasizes the Administration’s goal of improving critical infrastructure security defenses.

“The healthcare sector is implicitly included in the Strategy’s discussion of critical infrastructure, and will be affected by three specific elements as well as the federal government’s efforts to disrupt criminal infrastructure,” Mike Hamilton, CISO of Critical Insight, told HealthITSecurity.

“First, the regulatory requirements will grow, likely with enhanced focus on third party risk management. Because of the increasing trend to compromise healthcare entities through business associates, assessing and monitoring third-party security controls will be an additional regulatory task.”

In fact, a key focus area of the document is vendor accountability. The Administration expressed support for shifting cybersecurity liability, noting that it should fall on both “the owners and operators of the systems that hold our data and make our society function,” and the technology providers that these owners and operators rely on.

“Second, the initiative to work with vendors to ensure the security of IoT devices – including medical IoT – will serve to take the burden off healthcare to secure products post-implementation,” Hamilton continued.

The Strategy mentioned that the Administration will work with Congress and private sector organizations to develop legislation that establishes liability for software products and services. As previously reported, industry experts have long championed a need for shared responsibility and additional Federal support when it comes to medical device security.

Third, Hamilton pointed out the strategy document’s provisions that aim to limit what personally identifiable information (PII) can be collected and transferred by data stewards. One of the document’s strategic objectives, titled “Hold the Stewards of Our Data Accountable,” specifically aims to protect vulnerable populations from the risks of data misuse.

“The Administration supports legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information,” the document says.

The Federal Trade Commission (FTC) has taken this topic to heart as of late, imposing a $1.5 million penalty on telemedicine and prescription drug discount provider GoodRx for leveraging third-party tracking pixels from companies like Facebook, Google, Criteo, Branch, and Twilio that allegedly gathered sensitive data and used it for advertising purposes.

Any number of the document’s other strategic objectives could have impacts that reach the healthcare sector if enacted into law. For example, the Strategy hinted at the potential for a Federal insurance response structure that would enable the government to quickly respond to catastrophic cyber events with aid.

“As with all things that come out of the US government however, the devil will be in the details, and the details have yet to be written and published, so we will all have to wait and see for the time being,” Staynings noted.

National Cybersecurity Strategy Met With Resounding Support

Senator Mark Warner (D-VA), who has been a longstanding proponent of healthcare cybersecurity legislation, issued a statement following the release of the National Cybersecurity Strategy.

“I’m pleased to see the Biden Administration advocating for the kind of best practices that I’ve long called for, such as building and reinforcing strong partnerships with the private sector, investing in the long-term protection of our nation’s critical infrastructure, being proactive about establishing strong cybersecurity foundations and meeting critical standards,” Warner said.

“I’m particularly pleased to see the Administration prioritize the coordination of cyber incident reporting requirements, as required by the cyber reporting law I was proud to author. I’m also glad to see the Administration’s renewed focus on protecting the sensitive medical data and safety of Americans as cyber attacks on our health care systems become more frequent and aggressive.”

Warner released a detailed policy options paper in November that highlighted the sector’s top cybersecurity challenges and how legislation might help ease the industry’s concerns.

The American Hospital Association (AHA) also expressed support for the Strategy and commended the Biden Administration for its efforts.

“We are pleased that the strategy includes several important ideas such as declaring ransomware attacks as a national security threat; conducting more offensive operations against cyberthreat actors; and implementing software security requirements for software developers,” said John Riggi, the AHA’s national advisor for cybersecurity and risk.

“The AHA will continue to work with the hospital field, Congress and the Administration, and other stakeholders to advance and adopt cyber policies that are streamlined, effective and feasible to implement.”

The National Cybersecurity Strategy will be overseen by the Office of the National Cyber Director, which has already begun the implementation process.  

Next Steps

Dig Deeper on Cybersecurity strategies