Biden’s National Cybersecurity Strategy calls for market forces, mandates
Photo: WhiteHouse.gov
The American Hospital Association and HITRUST say they are optimistic about the Biden Administration's nearly 40-page national cybersecurity policy proposal in its strategies to fight destabilizing cybercrime and cyberterrorism.
WHY IT MATTERS
After continued waves of ransomware attacks on hospitals and health systems, healthcare stakeholders have spoken clearly about the level of sophistication of cybercriminals in their appeals to the federal government for coordinated action.
President Joe Biden said in the National Cybersecurity Strategy report released Wednesday the United States is prepared to meet these cybersecurity challenges by working with "partners everywhere."
Senator Mark Warner said by email that he was "particularly pleased" to see the Biden Administration prioritize the coordination of cyber incident reporting requirements and its "renewed focus on protecting the sensitive medical data and safety of Americans as cyber attacks on our healthcare systems become more frequent and aggressive."
Warner previously released a cybersecurity policy options paper in November 2022 that focused on patient safety and addressed national risk posture, federal leadership, cyberattack recovery requirements and incentives for the private sector that could improve healthcare cybersecurity capabilities.
John Riggi, AHA’s national advisor for cybersecurity and risk, said the hospital organization has worked closely with lawmakers and federal agencies to address the magnitude of this national security threat to public health and safety.
"The AHA commends the Biden Administration on this comprehensive National Cybersecurity Strategy, which acknowledges that private sector efforts alone are insufficient to counter the significant cyber threats we face as a nation," he said in a statement sent by email.
"Healthcare cyberattacks are threat-to-life crimes that disrupt and delay health care delivery, and cybersecurity is a top priority. Since 2020, the AHA has urged the federal government to adopt policies similar to those used in the fight against terrorism – utilizing all elements of national power to disrupt and dismantle foreign-based bad actors."
Riggi said in addition to declaring ransomware attacks as a national security threat, the strategy aims to conduct more offensive operations against cyber threat actors and implement software security requirements for software developers.
"The AHA will continue to work with the hospital field, Congress and the Administration and other stakeholders to advance and adopt cyber policies that are streamlined, effective and feasible to implement," said Riggi.
Robert Booker, chief strategy officer for HITRUST, a standards development and assurance organization, called the national strategy an ambitious undertaking and the use of market forces critical.
"As the Federal Government moves towards mandates for critical infrastructure cybersecurity, we encourage approaches that incentivize American companies to leverage and integrate mature security capabilities from the private sector and that use transparent and continually updated measurement and assurance systems to assess and sustain security capabilities in the face of constantly changing threats," he said in a statement sent to Healthcare IT News.
“I’m pleased to see the Biden Administration advocating for the kind of best practices that I’ve long called for, such as building and reinforcing strong partnerships with the private sector, investing in the long-term protection of our nation’s critical infrastructure, being proactive about establishing strong cybersecurity foundations and meeting critical standards," added Warner.
THE LARGER TREND
AHA has advocated for an offensive posture coordinated by the federal government, and called for greater support to help get hospitals back online quickly after they are victimized by cyberterrorism.
In December, Riggi told Healthcare IT News there is still a lot to be done to increase the capacity of the government to share real-time automated threat indicators.
"We can only do so much on defense when foreign-based adversaries sheltered by hostile nation-states attack us. The other half of this equation is a robust offense by the U.S. government to go after these folks," he said in a discussion that also addressed Warner's policy options paper.
Warner's paper suggested a considerable amount of governance, but also called for a balanced approach with shared responsibilities for both the public and private sectors.
ON THE RECORD
"I’m also glad to see the Administration’s renewed focus on protecting the sensitive medical data and safety of Americans as cyber attacks on our healthcare systems become more frequent and aggressive," said Warner in his statement.
"The sophistication of state and non-state actors and criminal activity that leverages the technology that Americans rely upon every day is a persistent problem and one that cybersecurity and business leaders across American industry take seriously," Booker said by email.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
Mary Kratz will offer more details during her HIMSS23 session "Advancing Interoperability Through Open-Source Simulation Environments." It's scheduled for Wednesday, April 19, at 4-5 p.m. CT at the South Building in room S504.