H-ISAC Hacking Healthcare 1-12-2021
TLP White: This week, Hacking Healthcare attempts to outline some of what the healthcare sector can expect as the Biden administration looks to begin its term. Specifically, what does the new administration’s stance on cybersecurity mean for healthcare and who will be important figures in helping to create and implement policies that protect critical infrastructure. We wrap up with a quick breakdown of issues the healthcare sector may wish to promote during the transition.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
1. The Incoming Biden Administration Will Bring Changes to Cybersecurity and Healthcare
The tumultuous partisanship that almost certainly promised to make President-elect Joe Biden’s transition a difficult and drawn-out affair was significantly eased by the Democratic party’s wins in both of Georgia’s Senate races. With the Democrats controlling the Senate, Biden seems all but assured to have his nominees for a variety of cybersecurity and healthcare related positions confirmed. With this in mind, we felt it would be appropriate to help flesh out what we know about Biden’s plans for healthcare and cybersecurity, what we know about the incoming nominees who will play a part in both, and what the healthcare sector may want to push for in the coming months and years of the new administration.
Renewed Cyber Focus
The previous four years were uneven for cybersecurity across the board. Despite significant successes, such as the secure 2020 election, the Trump administration’s 2018 removal of the National Cybersecurity Coordinator position signaled a devaluation of cybersecurity’s overall importance. Perhaps nothing emphasizes how essential it is for the new administration to prioritize this issue as the recent SolarWinds incident that has sent shockwaves through the public and private sector alike.
Thankfully, Biden appears aware of the need to renew the nation’s cybersecurity focus. On December 17th, he reiterated that his administration will “make cybersecurity a top priority at every level of government…[and] will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people.”[1] Additionally, he hinted that he isn’t opposed to continuing a strategy that looks to impose costs and better disrupt malicious actors.[2]
While Biden’s first 100 days will undoubtedly be filled by a plethora of important issues, the imperative to revamp the federal government’s COVID-19 strategy and the need to address the fallout of SolarWinds may result in extra attention being paid to the conflux of healthcare and cybersecurity. This will be welcome as the healthcare sector continues to bear the burden of incessant ransomware and espionage attacks.
Incoming Biden Nominees
For those who worry that words may not translate into actions, the number of nominees for important administration positions that have cyber experience should alleviate some concerns. While still very much in the thick of announcing transition nominees, several high-profile names have already been tapped for positions that will impact cybersecurity and the healthcare sector.
Alejandro Mayorkas, Secretary of Homeland Security (DHS): Having served in the Obama administration as the Deputy Secretary of DHS, Mayorkas is no stranger to cybersecurity issues and was involved in the 2015 intellectual property theft negotiations with China. Well-regarded cybersecurity officials have noted his attentiveness to cyber issues, ability to quickly grasp them, and willingness to seek expert advice.[3] With this in mind, Mayorkas will almost certainly be a strong supporter of CISA and more general efforts to support critical infrastructure sectors.
Xavier Becerra, Secretary Health and Human Services (HHS): While not a physician, the current Attorney General of California is no stranger to healthcare or privacy issues. Xavier helped lead efforts to protect the Affordable Care Act, and as the AG of California, he has been charged with enforcing the California Consumer Privacy Act (CCPA).
Avril Haines, Director National Intelligence: The former Deputy CIA Director and Deputy National Security Advisor brings significant experience in national security and intelligence issues, including familiarity with a variety of cybersecurity and technology issues.
Anne Neuberger, Deputy National Security Advisor for Cyber Security: A career intelligence official currently serving as the NSA’s Director of Cybersecurity, Neuberger’s new role will see her “responsible for coordinating the federal government’s cybersecurity efforts.”[4] She should excel in her new position as she has significant experience working with the cybersecurity and intelligence community, congressional committees, and the private sector.[5]
Lisa Monaco, Deputy Attorney General: The decision to nominate Monaco to the position of Deputy AG further entrenches cyber expertise across the board. A former Homeland Security Advisor under President Obama, as well as an Assistant Attorney General for the National Security Division, Monaco “prioritized national security cyber threat prosecutions” while she was at DOJ.[6] She also oversaw several cybersecurity issues while at the White House, and worked closely with the cybersecurity directorate of the National Security Council. This experience bodes well at a time when malicious cyber actors appear bolder than ever.
National Cyber Director (NCD), TBD: The NCD is a new creation of the recently passed NDAA. This new, Senate-confirmed position will look to coordinate the federal government’s various digital missions and serve as the president’s principal cyber advisor. Importantly, it will drastically increase the visibility and resources allocated towards cyber issues, as the position is set to include a supporting staff of between 75 and 100 individuals.
While this is not the full extent of Biden’s nominees, it should serve to highlight that the Biden administration recognizes the growing importance of cybersecurity issues. All of these individuals will contribute to how the incoming administration looks to secure critical infrastructure sectors like healthcare, as well as how the administration will to deter malicious cyber activity, and what kinds of cybersecurity and privacy policies they will look to implement.
What It All Means
The incoming Biden administration is likely very excited by the opportunity to tackle a host of healthcare issues. Everything from bolstering the ACA and Medicaid to lowering drug prices have been cited as major targets along the campaign trail. However, with only the slimmest of majorities in the Senate, some of Biden’s loftier goals may not be quite so realistic for the time being. That may end up being beneficial to those in the healthcare sector who are hoping for some continuity and are fearful of a sudden about-face from the Trump administration’s policies. This is especially true in politics where there is often a disincentive to bolstering the “other sides” efforts.
While the allure of coming in to completely overhaul systems and industries is understandable, it can often come at the cost of failing to support organizations, processes, initiatives, and structures that are already in place and working effectively. The new administration will undoubtedly still look to make significant changes where they can, but they should also be strongly encouraged by the healthcare sector to shore up existing efforts and not necessarily look to reinvent the wheel.
There are a few areas where this mindset could be emphasized:
First, it would be ideal for there to be further recognition and support of the ISAC’s and Sector Coordinating Councils (SCCs). These entities have proved to be invaluable at disseminating information and coordinating within and between the public and private sector entities that make up the various critical infrastructure and industry sectors. With cyber threats proliferating, effective information sharing and coordination are even more necessary.
Second, with cyberattacks on the healthcare sector now commonplace, a renewed focus on the National Infrastructure Protection Plan (NIPP) would be a worthwhile investment. The NIPP, which “outlines how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes,” could be assessed for potential updates to ensure it’s able to meet current threats.[7]
Lastly, some health experts have noted that it is likely that a Biden administration will continue to support interoperability and telehealth efforts, especially as both could be beneficial to tackling COVID-19 in the short term, as well as planning for future pandemics. While a continuation of existing efforts would be good, the transition may provide an opportunity to reemphasize the role of privacy and security for both.
Congress –
Tuesday, January 12th:
– No relevant hearings
Wednesday, January 13th:
– No relevant hearings
Thursday, January 14th:
– No relevant hearings
International Hearings/Meetings –
– No relevant hearings
EU –
Sundries –
English court quashes general hacking warrants
State Dept. to Create New Cybersecurity & Technology Agency
Ransomware Victims’ Data Published via DDoSecrets for research
https://www.darkreading.com/risk/ransomware-victims-data-published-via-ddosecrets/d/d-id/1339848
Conferences, Webinars, and Summits –
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://buildbackbetter.gov/press-releases/statement-by-president-elect-joe-biden-on-cybersecurity/
[2] https://buildbackbetter.gov/press-releases/statement-by-president-elect-joe-biden-on-cybersecurity/
[3] https://www.cyberscoop.com/alejandro-mayorkas-biden-dhs-secretary-cybersecurity/
[4] https://www.politico.com/news/2021/01/06/biden-white-house-cybersecurity-neuberger-455508
[5] https://www.politico.com/news/2021/01/06/biden-white-house-cybersecurity-neuberger-455508
[6] https://www.cyberscoop.com/biden-transition-cybersecurity-nominees/
[7] https://www.cisa.gov/national-infrastructure-protection-plan
- Related Resources & News
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024
- Cyber Incident Response: Playbook for Medical Product Makers
- Feds Warn of Godzilla Webshell Threats to Health Sector
- Trump’s Return: Impact on Health Sector Cyber, HIPAA Regs
- Health-ISAC Hacking Healthcare 11-7-2024
- Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks
- All hospitals should be concerned about cyberattacks. Here’s why