DoD: Staff Need Healthcare Privacy, Cloud Security Certifications

The US Department of Defense (DoD) will now require certain incoming cybersecurity staff to complete two additional (ISC)² certifications focused on healthcare privacy and cloud security. The addition signifies the growing importance of healthcare cybersecurity in the US government.

The DoD’s Cyber Workforce Management Program requires employees to complete certain baseline certifications in order to be well-versed in information assurance and cybersecurity practices.

(ISC)², a nonprofit association of security professionals that offers credentials in information, software, cyber, and infrastructure security, developed the new certifications to address the gap in healthcare cybersecurity. The DoD already offers several other (ISC)² certifications that fulfill requirements for its security roles.

The new HealthCare Information Security and Privacy Practitioner (HCISPP) and the Certified Cloud Security Professional (CCSP) certifications will be added to the DoD’s approved baseline certifications.

"The addition of the HCISPP and CCSP certifications to the DoD's requirements for certain cybersecurity roles points to the growing need to protect and defend health information and cloud data from targeted attacks," Casey Marks, PhD, chief qualifications officer at (ISC)2, said in a press release.

"These certifications attest that their holders have broad, experience-based mastery of security concepts in real-world situations. Adding such professionals to the front lines of national cyber defense is an encouraging step by the DoD."

The CCSP cloud security certification teaches participants best practices and procedures for managing cloud-based infrastructure. The HCISPP combines cybersecurity with healthcare privacy practices to ensure security within organizations.

The DoD’s addition of a healthcare-focused cybersecurity certification is telling. As both malicious ransomware attacks and human error continue to cause data breaches across the healthcare sector, the government has been forced to reevaluate its own cybersecurity practices.

President Biden’s recent executive order on cybersecurity urged government agencies to work with each other and the private sector and develop strategies for preventing additional cyberattacks. In response, the National Institute of Standards and Technology (NIST) published guidance on ransomware risk management. NIST’s framework encourages using antivirus software and regularly patching computers in order to prevent attacks.

In addition, a recent US Government Accountability Office (GAO) study looked into HHS’s organizational approach within its security organizations and found that a lack of collaboration between entities could be preventing healthcare cybersecurity. The study exposed significant organizational issues within HHS’s security arm. HHS agreed to take six out of seven of GAO’s collaboration recommendations into consideration.

Despite the influx of guidance, many healthcare systems are suffering the consequences of outdated cybersecurity practices and insufficient employee security training. A recent data breach occurred at UofL Health in Kentucky after an employee sent protected health information to the wrong email address.

Additionally, University Medical Center of Southern Nevada announced that it fell victim to a ransomware attack that exposed images of passports, Social Security numbers, and driver’s licenses. Renown Health in Nevada also announced it was part of a data breach through its business associate, Elekta, that impacted over 40 other healthcare organizations.