Executive Branch Zeros in on Healthcare, Critical Infrastructure Cyber Protections

By First Health Team

The Biden Administration is working to expand cyber protections for the healthcare, education, and agriculture industries, as part of a targeted focus to support critical infrastructure entities struggling to meet cybersecurity standards, said Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, at the Financial Times Cyber Resilience Summit on June 22.

These three industries are a primary concern for the administration, given the rise in ransomware attacks and other cyber threats.

The comments echo earlier statements made by Neuberger during an Axios event in October: that the cybersecurity rules enacted by the administration for airlines and critical pipeline entities will extend to cover hospitals and medical devices, as well as the public warning system and water sector.

At the time, Neuberger made it clear that her team was looking at other sectors to determine where congressional help is needed – and suggested a future that would include mandating minimum cybersecurity standards.

Since the hack of the Colonial Pipeline in 2021, the administration has made it clear that it intends to impose strong cybersecurity rules for critical infrastructure entities – healthcare among them.

Although some rules remain in progress, executive orders have already added reporting requirements for these entities, as well as a requirement to develop incident response plans to ensure critical infrastructure entities can maintain services in the event of a cyberattack.

It’s unclear how the executive branch will take action on its reaffirmed support for critical infrastructure entities, but these previous executive orders requiring organizations to take greater responsibility for their cyber defenses suggest that’s where the government would take its first steps.

Healthcare stakeholders have long debated the benefits of the “stick” versus “carrot” when it comes to enforcement of poor cybersecurity practices. The consensus is that the “stick”, or stiff monetary penalties for non-compliance with the Health Insurance Portability and Accountability Act (HIPAA), has done nothing to improve the current state of things.

These monetary penalties only pull additional funds from would-be security investments and further burden provider organizations struggling to stay out of the red, retain security talent, and get their arms around just what cyber measures are needed under the current threat landscape.

Enacted in 2021, Public Law 116-321 amended the HITECH Act and made incentive headway in the carrot versus stick model: Codifying 405d and NIST recognized security practices, the amendment also directs the Department of Health and Human Services to take into account an entity’s use of those recognized security practices within 12 months of a reported security incident, during an audit to determine possible enforcement actions.

It’s widely viewed as a way to incentivize providers for meeting best practice cybersecurity, rather than handing down massive monetary penalties for entities experiencing a data breach, despite best efforts. The HHS Health Industry Cybersecurity Practices even provides entities with step-by-step guidance for effective security, tailored to the size and maturity of the organization.