A CISO's Response to the Recent HHS Cybersecurity Strategy Paper
As founder and chief information security officer of Austin, Texas-based ClearDATA, Chris Bowen leads the company’s internal privacy, security and compliance strategies as well as its international security risk consulting practice. He has provided counsel to some of the world’s largest healthcare organizations. In this opinion piece, he offers a response to a recent paper by federal healthcare regulators on cybersecurity strategy.
On Dec. 6, 2023, the Biden Administration released a comprehensive strategy document from the U.S. Department of Health & Human Services (HHS), outlining its approach to promoting improved cybersecurity practices in the healthcare sector.
Simply put, while this strategy document serves as a gesture toward taking steps forward, the four major initiatives outlined by the HHS do not go nearly far enough to protect patient data in an increasingly hostile cyber environment. Let’s look at the four initiatives in additional detail to better understand why the time for half-measures is over.
1. Establishing voluntary cybersecurity goals for the healthcare sector
HHS' suggestion to establish voluntary cybersecurity goals for the healthcare sector is disappointing. It advocates way too little, way too late. Time has long passed for thinking about voluntary measures to ensure healthcare organizations keep patients safe. In an era where the HHS itself notes a 93 percent increase in large healthcare data breaches from 2018 to 2022, as well as a 278 percent increase in those that involve ransomware, the organization is, in essence, proposing administering an aspirin to cure brain cancer. I have long held that volunteering your organization to sign up for “non-required” cybersecurity standards misses the mark—because it’s highly unlikely that organizations will volunteer for additional work and additional expense. Instead, there should be a clear mandate for certain minimum cybersecurity standards that prevent cyber-attacks and increase resiliency in the event of a ransomware event.
2. Providing resources to incentivize and implement cybersecurity practices
I absolutely agree with providing resources; however, enough of the carrot-and-stick approach to protecting patient data. Providing healthcare isn’t just about protecting the integrity of our infrastructure, it’s about saving people’s lives.
Moreover, the sector’s talent gap in cybersecurity also places our hospitals at risk, jeopardizing patient safety. We need new approaches that will help build a workforce that is prepared to protect the healthcare delivery system from existing and future cybersecurity threats.
For example, Sen. Mark Warner from Virginia, who co-founded the bipartisan Senate Cybersecurity Caucus in 2016, has called for Congress to “consider establishing a workforce development program that focuses specifically on healthcare cybersecurity.”
This program would incentivize college graduates to work in cybersecurity roles within the health systems that need the resources and receive tuition reimbursement benefits. The Healthcare Sector Coordinating Council (HSCC) has also put out recommendations around how organizations can grow cyber talent from their current workforce.
3. Implementing an HHS-wide strategy to support greater enforcement and accountability
Rather than levying fines against the health systems that ultimately pass along the cost to those they are meant to treat – patients, we need to explore alternative ways of ensuring compliance by introducing strict penalties for those at fault for negligence.
The Office for Civil Rights must stop levying fines that add additional pressure on already-stretched healthcare systems that have fallen victim to state-sponsored ransomware attacks. Instead, let’s focus on strengthening sanctions against nation-states involved in cyberattacks to protect our healthcare delivery system better.
4. Expanding and maturing the “one-stop shop” within HHS for healthcare sector cybersecurity
The expansion of the "one-stop shop" cybersecurity support function for the healthcare sector within the Administration for Strategic Preparedness and Response (ASPR) is a step in the right direction. The assistance provided can help healthcare organizations navigate the complex cybersecurity landscape. It is imperative to facilitate our industry's access to the support and services provided by the federal government.
With a rapidly changing technology landscape and increased adoption of cloud computing, it’s imperative that the federal government stock the shelves of this “one-stop shop” with tools and advice that are relevant to today’s technologies. That includes direct tooling to protect serverless, microservice, ephemeral, and stateless containers as well as traditional virtual machine technology promulgated by major cloud provers. Long gone are the days when everything is found in the data center (or a basement).
When it comes to ransomware attacks, we must do all we can to prevent them, and to punish those who execute and sponsor these attacks. I applaud the American Hospital Association and other key stakeholders for their efforts in urging the FBI and Department of Justice to adopt critical policy changes that classify ransomware as “threat-to-life” crimes, giving them higher investigative priority and resource allocation. Our patients rely on us during their most vulnerable times. We owe it to them to fortify our defenses with the utmost urgency and resolve. We cannot let them down.