web analytics

CISA and HHS Would Team Up in Health Sector Under House Bill – Source: www.databreachtoday.com

cisa-and-hhs-would-team-up-in-health-sector-under-house-bill-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Healthcare
,
Industry Specific
,
Legislation & Litigation

Bill Is Similar to Senate Proposals, But Will Congress Take Action Before Election?

Marianne Kolbasuk McGee (HealthInfoSec) •
August 30, 2024    

CISA and HHS Would Team Up in Health Sector Under House Bill
Image: Getty

A bipartisan House bill aims to bolster cybersecurity in the healthcare sector by requiring stronger collaboration between CISA and the Department of Health and Human Services. The bill is a companion to nearly identical bipartisan legislation introduced in the Senate in July.

See Also: Live Webinar | Building a More Resilient Healthcare Enterprise and Ecosystem

Lawmakers unveiled the House legislation – the Healthcare Cybersecurity Act – on Thursday. The bill is sponsored by U.S. Reps. Jason Crow, D-Colo.; Brian Fitzpatrick, R-Penn., and Andy Kim, D-N.J.

“Cyberattackers are targeting Americans’ medical data and must be stopped,” Crow said in a statement. The country needs to bolster its cyber defenses to better protect “Americans’ most personal and sensitive information from malicious actors,” he said

The House bill calls for the creation of a liaison within CISA to coordinate with HHS during cybersecurity incidents and to collaborate in supporting healthcare and public health sector entities with cybersecurity training and other related resources.

That proposed training made available by CISA to “owners and operators” of technologies, services and utilities in the healthcare and public health sector includes ways to mitigate security risks to information systems.

The lawmakers pointed to the massive disruption of the healthcare ecosystem earlier this year by the ransomware attack on Change Healthcare, which highlighted “the lack of preparation and training during the recovery process.”

The Senate version of the bill – the Healthcare Cybersecurity Act of 2024, introduced in July by Sens. Jacky Rosen, D-Nev.; Todd Young, R-Ind.; and Angus King, I-Maine – proposes similar actions, including a new liaison within CISA to work with HHS on healthcare sector cybersecurity (see: Bill Calls for CISA, HHS Effort to Boost Health Sector Cyber).

The proposals in both the House and Senate versions of the bills would codify with congressional oversight much of what has been in progress within the cybersecurity organizational structure at HHS in partnership with CISA, some experts said.

“While it is encouraging to see the bipartisan support to address this issue, HHS and CISA have been working toward this common goal for years. Much of what is outlined within this proposed bill is documenting work that is currently underway,” said Kate Pierce, executive director of government affairs at security firm Fortified Health Security.

“Capturing the specifics within legislation would ensure that the upcoming changes in administration will not negatively impact the hard work currently underway,” said Pierce, a former longtime CIO and CISO at a Vermont hospital.

“One thing the sector doesn’t need is more studies and reports created. There is no need for further evaluation. It’s time to put the plan into practice,” she said.

Will Legislation Gain Traction?

The two bills are the latest of a handful of bipartisan congressional efforts in recent years aimed at bolstering cybersecurity in healthcare and public health. So far, most of the other proposals have not advanced far in a Congress that is mostly divided along party lines.

“As close as we are to the election, it may be difficult for either bill to pass,” predicted Malachi Walker, federal security strategist at security firm DomainTools.

“Sen. Rosen’s bill has bipartisan support and a good chance of making it through the Senate, but with more representatives and less outlined bipartisan support in the House, it will be an uphill battle for Rosen’s bill to make it out of committee and for Crow’s bill to get passed at all,” he said.

But others are more optimistic. “The number of members of both houses speaking about cybersecurity has increased dramatically,” said Doug Britton, chief strategy officer at RunSafe Security.

“The requests for information from agencies regarding cyber issues have exploded. And the fallout of failures in this area is clear. I think it could gain traction,” he said.

Pierce offered a similar assessment. “These bills could gain traction in Congress as both parties agree that healthcare cybersecurity is a national risk that needs to be addressed,” she said. “With the uncertainty ahead with the upcoming elections, this is a way to solidify the foundation of a basic cybersecurity program for healthcare specifically.”

The healthcare sector would potentially benefit from any cyber help the government might offer, experts said.

“Healthcare is difficult to secure because financially motivated adversaries, knowing lives are at stake if systems are compromised, see healthcare organizations as groups that will do anything to resume business as quickly as possible,” Walker said.

“If they can compromise an online system, adversaries believe they can get a ransom paid with little resistance,” he said.

“CISA and HHS have a vested interest in learning all they can about the persons or organizations behind domains or IP addresses observed in successful or attempted cyber breaches,” he said.

The proposals in both the Crow and Rosen bills “show signs of a first step in addressing these threats and raising the bar on cybersecurity in the sector,” Walker said.

“Both bills incentivize information sharing, cybersecurity training and education for healthcare owners and operators and outline a risk management plan that is not only specific to the healthcare sector but outlines where specialized support is needed in the public health sector,” he said.

Missing from both bills are mentions of HHS’ cybersecurity performance goals that were released earlier this year. The goals aim to help raise the bar in healthcare data security. HHS had said the CPGs are voluntary, but it has hinted they could become mandates for some healthcare sector entities, such as hospitals (see: Feds Wave Sticks & Carrots at Health Sector to Bolster Cyber).

Another major factor the bills fail to address is funding.

“The lack of funding to support these efforts is one of the crucial elements that appears to be missing,” Pierce said. “Many healthcare entities won’t be able to significantly raise the bar without financial support.”

While cyberattacks on the healthcare and public health sector rise, so do other challenges, she said. “There are too many competing priorities, especially in smaller, rural healthcare organizations, to prioritize cyber defense unless it is required – such as moving the CPGs from voluntary to mandatory – and there is funding to support it,” she said.

HHS’ $1.3 billion FY25 budget proposal is not enough to make a significant impact, “but it is a place to start,” Pierce said.

Original Post url: https://www.databreachtoday.com/cisa-hhs-would-team-up-in-health-sector-under-house-bill-a-26176

Category & Tags: –

Views: 3

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
WILEY
Cybercrime Investigators Handbook by WILEY
Cybercrime Investigators Handbook by WILEY
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

LogRhythm
A Guide to User and Entity Behavior Analytics (UEBA)
A Guide to User and...
BONI YEAMIN
100 Offensive Linux Security Tools
100 Offensive Linux Security Tools
SentinelOne
90 DAYS A CISO’S JOURNEY TO IMPACT
90 DAYS A CISO’S JOURNEY...
ChiefExecutive
Ciberseguridad: Prioridad Estratégica para los CEO.
Ciberseguridad: Prioridad Estratégica para los...
CYBER SECURITY COALITION
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
INL/EXT
Cybersecurity for Distributed Wind
Cybersecurity for Distributed Wind
ARTIC WOLF
Cybersecurity Compliance Guide
Cybersecurity Compliance Guide
ESRAA MOHAMAD
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
DRAGOS
Impact of FrostyGoop ICS Malware on Connected OT Systems
Impact of FrostyGoop ICS Malware...
Victor Tong
Digital Operational Resilience Act – Control Mappings
Digital Operational Resilience Act –...
ARMIS
DORA Resiliency Guide Strengthening Cybersecurity and Operational Resilience in the Financial Sector
DORA Resiliency Guide Strengthening Cybersecurity...
IGNITE Technologies
Docker Penetration Testing
Docker Penetration Testing

More Latest Published Posts

Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
CyberJA
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
SOSAFE
CybercrimeTrends 2024 The latest threats and security best practices
CybercrimeTrends 2024 The latest threats and security best practices
Routledge
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Hidaia Mahmood Alassouli
Common Windows, Linux and Web Server SystemsHacking Techniques
Common Windows, Linux and Web Server SystemsHacking Techniques
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by Cigref
Splunk
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SOC SIEM Use Cases
SOC SIEM Use Cases
safecode
Six Pillars of DevSecOps- Collaboration and Integration
Six Pillars of DevSecOps- Collaboration and Integration
SentineOne
WatchTower I ntelligence-Driven Threat Hunting
WatchTower I ntelligence-Driven Threat Hunting
CNIL
Security of Personal Data
Security of Personal Data
OPSWAP
Securing ICS SCADA updates OT Environments
Securing ICS SCADA updates OT Environments
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
WITH SECURE
Threat Landscape Update Report
Threat Landscape Update Report
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
Mihaela Curcă
The Role of Cyber Espionage inInternational Relations
The Role of Cyber Espionage inInternational Relations
GLOBAL NETWORK OF DIRECTOR INSTITUTES
THE FUTURE OF BOARD GOVERNANCE
THE FUTURE OF BOARD GOVERNANCE
Deloitte
The CISO’s Guide to Generative AI
The CISO’s Guide to Generative AI
Capgemini
PROMPT THE FUTURE
PROMPT THE FUTURE
Google
We’re All in this Together
We’re All in this Together
CyberSN
U.S. Cybersecurity Job Posting Data Report
U.S. Cybersecurity Job Posting Data Report
CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing