HHS-CISA partnership plan good first step, but small entities need short-term help

A recently proposed bipartisan bill would see the Department of Health and Human Services partnering with the Cybersecurity and Infrastructure Security Agency to bolster cybersecurity facing the health and public health sectors, providing the sector with much-needed support on critical issues.

Introduced by Sens. Jacky Rosen, D-Nev., and Bill Cassidy, R-La., The Healthcare Cybersecurity Act mandates that CISA and HHS enter into an agreement to target healthcare risks, while authorizing cybersecurity training for the sector’s asset owners and operators.

It would also task CISA with conducting a study on the specific cyber risks facing the sector, which would include an analysis of risks and challenges specific to healthcare assets and an assessment of ongoing, relevant cybersecurity workforce challenges. 

The proposed legislation was informed by discussions with industry leaders, including The American Hospital Association, which led to the inclusion of elements long-sought by healthcare stakeholders.

Although the sector has made major steps to properly defend their networks, stakeholder groups have repeatedly warned that the majority of provider organizations will likely require outside assistance to address security challenges. The bill takes necessary first steps to address these key cybersecurity challenges, AHA leaders noted in a letter to the senators.

AHA also expressed support for coordinating national defensive measures and expanding the cybersecurity workforce, while working to combat attacks against critical infrastructure and supporting the sector with needed training. Specifically, the “whole of government approach” proposed in the bill is crucial for bolstering defenses.

However, “while this coordination will have some long-term benefit if properly leveraged, it would not be reasonable to expect any immediate and measurable effect on real-world security risk,” explained Steve Abrahamson, executive director of technology consulting at EY.

The collaboration would be invaluable to healthcare’s long-term goals and can enable “opportunities for decisions based on better information.” But Abrahamson noted it’s not clear whether these lofty goals will directly impact near-term cybersecurity challenges, like identifying and addressing risks to the healthcare sector and potential impacts, or adverse events.  

“For example, the impacts of a data breach, a ransomware attack, and a device malfunction due to malicious modification are all very different,” Abrahamson added. “This collaboration would benefit from establishing better understanding of these different risks and impacts.”

“The coordination proposal appears to be directed at all these risks, but can better clarify how better understanding of these differentiated risks can be a key outcome of the collaboration,” he added. As such the proposal should be “seen as a step in the journey toward more effective cybersecurity measures within healthcare.”

Effort to strengthen health sector cybersecurity dates to Obama era

For context, Cylera’s Chief Security Strategist Richard Staynings referenced the Obama administration’s directive that designated healthcare as one of the 16 critical infrastructure industries, later added to the Executive Order 13636 to Improve Critical Infrastructure Security and Resilience.

The initial directive to advance efforts strengthen, secure and create a more resilient critical infrastructure first began in February 2013, aiming to bolster private and public partnerships and the Department of Homeland Security.

Healthcare was being targeted long-before the recent spate of supply chain attacks, and even now, as the threat of fallout from the ongoing Ukraine-Russian conflict continues. But despite some cybersecurity improvements in critical infrastructure since that time, Staynings stressed that “plainly more needs to be done to defend these industries from cyberattacks.”

Among its key challenges are the vast disparities between healthcare entities themselves. While there are a number of major health systems made up of hundreds of smaller provider offices and hospitals, there’s a great deal of small community health systems and regional hospitals that “are lucky to have any staff dedicated towards cybersecurity.”

Others entities may even have limited security tools, and thus, “sitting ducks to a well-funded and motivated attacker,” explained Staynings. These health systems require the additional support from federal and state governments. In particular, if an attack hits a rural provider and care is disrupted, a patient may have to travel hundreds of miles to find an alternative.

As such, the proposed measures could begin to chip away at the current imbalances facing the sector.

“Plainly, it’s a very uneven battle putting the cyber defense capabilities of a rural community hospital up against the nation-state cyber capabilities of the Russian GRU … or the heavily organized and well-funded Russian crime syndicates,” said Staynings.

“This is why we need the federal government to provide some sort of additional security umbrella, much more than the basic information sharing and training outlined in the current version of the bill,” he added.

Like Abrahamson, Staynings stressed that the proposed legislation should be viewed as a first step. And hopefully, Congress can work out “many of the details of what CISA and HHS will provide under the act” as it goes through committee and implemented by the agencies.