Getting the health sector to vastly improve the state of its cybersecurity will take much more than the recent issuance of federal guidance outlining cyber performance goals for entities. It will also require new government incentives and mandates, said Steve Cagle, CEO of consultancy Clearwater.
“It’s a combination of things. Just publishing the goals – it’ll help. But it’s not really going to be enough to change behavior,” said Cagle about the new cybersecurity performance goals for the healthcare sector that the Department of Health and Human Services issued last week (see: HHS Details New Cyber Performance Goals for Health Sector).
HHS divided the new goals into two groups – essential and enhanced. Essential goals include healthcare entities implementing basic best practices and controls, such as multifactor authentication, strong encryption and incident response planning.
Enhanced goals include activities and controls such as asset inventory, third-party vulnerability disclosures and incident reporting, cybersecurity testing and mitigation, network segmentation and other best practices.
Both sets of goals are based on industry cybersecurity frameworks, best practices and strategies, including the National Institute of Standards and Technology’s Cybersecurity Framework and the Health Industry Cybersecurity Practices – or HICP – playbook developed by the Health Sector Coordinating Council and HHS’ 405(d) cyber advisory group.
HHS is currently calling the goals “voluntary,” but a Biden administration health sector cybersecurity strategy concept paper issued in December foreshadows the HHS goals being published and hints about potential upcoming rule-making and regulatory changes (see: Biden Administration Issues Cyber Strategy for Health Sector).
Among the initiatives are updating the HIPAA Security Rule, potentially requiring cybersecurity best practices as a condition for hospitals to participate in Medicare and Medicaid programs, and possible financial help for under-resourced entities, such as rural hospitals.
Whatever the final outcome, Cagle said, the healthcare sector should not view the best practices HHS spotlighted in both sets of goals as being optional.
“If we really want to see change across the industry – and what I mean is, we’re not seeing ransomware attacks at hospitals with ambulances being diverted from emergency rooms and we’re not seeing mega breaches leading to north of 120 million records, like we had last year – we need real change,” he said.
“We need to motivate healthcare organizations and their third parties to change their behavior.”
In this interview with Information Security Media Group (see audio link below photo), Cagle also discussed:
- What’s missing from HHS’ cybersecurity performance goals for healthcare sector entities;
- Surging security risks and threats involving third-party vendors and business associates;
- Holding the C-suite accountable for healthcare cybersecurity issues.
Cagle is chief executive and board member of privacy and security consultancy Clearwater. He previously served as president and CEO of Moberg Pharma North America and president and CEO of Alterna LLC. He also previously worked as a principal and executive team member at Sparta Systems Inc.