Getting the healthcare sector to vastly improve its state of cybersecurity will take much more than the recent issuance of new federal guidance outlining cyber performance goals for entities. It will also require new government incentives and mandates, said Steve Cagle, CEO of privacy and security consultancy Clearwater.
“It’s a combination of things. Just publishing the goals, it’ll help. But it’s not really going to be enough to change behavior,” said Cagle about the Department of Health and Human Services’ new “voluntary” cybersecurity performance goals for the healthcare sector issued last week (see: HHS Details New Cyber Performance Goals for Health Sector).
HHS divided the new goals into two groups – essential and enhanced. Essential goals include healthcare entities implementing basic best practices and controls, such as multifactor authentication, strong encryption and incident response planning.
Enhanced goals include activities and controls such as asset inventory; third-party vulnerability disclosures and incident reporting; cybersecurity testing and mitigation; network segmentation, and other best practices.
Both sets of goals are based on industry cybersecurity frameworks, best practices and strategies, including the National Institute of Standards and Technology’s Cybersecurity Framework and the Health Industry Cybersecurity Practices – or HICP – playbook developed by the Health Sector Coordinating Council and HHS’ 405(d) cyber advisory group.
But while HHS is currently calling the goals “voluntary,” a Biden administration health sector cybersecurity strategy concept paper issued in December not only foreshadowed the HHS goals being published, but also hinted about potential upcoming rulemaking and regulatory changes (see: Biden Administration Issues Cyber Strategy for Health Sector).
Among the initiatives are updating the HIPAA security rule, potentially requiring cybersecurity best practices as a condition for hospitals to participate in Medicare and Medicaid programs, and possible financial help for under-resourced entities, such as rural hospitals.
Whatever the final outcome, Cagle said the best practices HHS spotlighted in both the essential and enhanced sets of goals really should not be viewed by the healthcare sector as optional.
“If we really want to see change across the industry – and what I mean is, we’re not seeing ransomware attacks at hospitals with ambulances being diverted from emergency rooms and we’re not seeing mega breaches leading to north of a 120 million records, like we had last year – we need real change,” he said.
“We need to motivate healthcare organizations and their third parties to change their behavior.”
In this interview with Information Security Media Group (see audio link below photo), Cagle also discussed:
- What’s missing from HHS’ cybersecurity performance goals for healthcare sector entities;
- Surging security risks and threats involving third-party vendors and business associates;
- Holding the C-suite accountable for healthcare cybersecurity issues.
Cagle is chief executive and board member of privacy and security consultancy Clearwater, previously served as president and CEO of Moberg Pharma North America, a subsidiary of Moberg Pharma AB, a publicly traded Swedish pharmaceutical company. Prior to its acquisition by Moberg AB, Cagle served as president and CEO of Alterna LLC, a consumer healthcare products company. He previously worked as a principal and executive team member of Sparta Systems Inc., a software company.