How Health Care Leaders Should Plan for Building Cyber Resiliency
Policy leaders recommend health care organizations implement tools like encryption and multi-factor authentication to protect their data.
Federal health leaders are strategizing how health care organizations can build and budget for cyber resiliency as the attack landscape and need for data security grow.
“Resiliency costs money. … You can’t just plug in a new system and that you are now resilient,” said Keith Busby, acting CISO & Information Security and Privacy Group Director at the Centers for Medicare and Medicaid Services (CMS), during a recent webinar. “You don’t need to throw out everything that you’ve done. You just need to look at it from a different angle and look at some of the best practices that have been around for years.”
HHS released its cybersecurity strategy last year outlining four pillars of action to strengthen resilience through voluntary health care and public health sector cybersecurity performance goals (HPH CPGs). The goals incentivized organizations to develop resiliency and also expanded cybersecurity services within HHS’ Administration for Strategic Preparedness and Response (ASPR).
Cmdr. Thomas Christl, director of the Office of Critical Infrastructure Program within ASPR, noted the goal for the 2023 HHS roadmap was to provide consolidated, actionable guidance recommendations in a simplified manner.
“This is going to cost money, and so HHS is looking at how can we incentivize entities to implement those practices. There’s mention of upfront investment programs as well as incentives to continue to advance the practices within an entity,” he said during the webinar. “What do we already have in place? Existing brands, programs or collaborative agreements or cooperative agreements, where else might we need to grow?”
The comments come amid an overhaul at HHS launched Thursday in which cybersecurity and tech policy and strategy functions are moving to ASPR and the renamed Assistant Secretary for Technology Policy and Office of the Coordinator for Health IT (ASTP/ONC).
“Cybersecurity, data and artificial intelligence are some of the most pressing issues facing the health care space today,” said HHS Secretary Xavier Becerra in a statement. “For decades, HHS has worked across the organization to ensure appropriate and safe use of technology, data and AI to advance the health and well-being of the American people.”
Tips for Cyber Resiliency
There are several things health care organizations should prioritize to increase data security and resilience. One priority is having good data inventory.
“As an organization, you need to be able to know where your data is and who you’re giving it to, and so I think finding a way to do that is important, and you’re only going to do that through relationship building through collaboration with the business side of the house,” said Busby.
Busby added multi-factor authentication and encryption are basic security controls organizations should implement.
Christl added that cybersecurity should also be a part risk management approaches.
“Everything relies on it, and it can’t just be an afterthought. Work it into exercises. Have specific exercises for cybersecurity. The preparedness supports resilience and recovery,” said Christl. “Also try to truly understand the first, second, third-level contingencies, and make sure you have plans to address those contingencies as much as possible. Then the most important part of all of this is that once you think you’ve understood those, talk with the people and have the conversations that go back to the contracts and resilience.”
ARPA-H Programs Tackle Resilience
Christl cited efforts the Advanced Research Projects Agency for Health (ARPA-H) launched including its new Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program and its Digital Health Security Initiative .
Christl said he’s also collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) to help organizations understand what resources they have.
“They have free, scalable services that entities can sign up for to help get information on where they might be vulnerable,” said Christl. “They also have a health care and public health sector cybersecurity toolkit. We’re working with them to make sure that they’re speaking the right language for the health care sector, that they’re engaging effectively so that as many people as possible become aware of these resources and that they’re going to be taking advantage of them.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Biden Signs New Tech Executive Orders Before Departing Office
Joe Biden signed two new executive orders this week promoting future cyber and AI priorities before Donald Trump takes office Monday.
5m read -
DODIN Strategy Aims to Outpace Cyber Threats
JFHQ-DODIN Commander Lt. Gen. Paul Stanton says the new "How We Prevail" plan moves from reactive defense to proactive threat mitigation.
4m read -
Preparing for the Future Cyber Landscape
CISA, CFPB and Rubrik discuss how they’re building cybersecurity best practices and developing their workforces to prepare for the future threat landscape and bolster cyber resilience.
30m watch -
Air Force Chief: Modernization Is Critical to Maintaining Superiority
Air Force Secretary Frank Kendall cites AI, automation and cyber resilience as key modernization components to outpace China by 2050.
3m read