Health-ISAC Hacking Healthcare 4-24-2025
This week, Health-ISAC®‘s Hacking Healthcare® begins with an update on U.S. legislative attempts to reauthorize the Cybersecurity and Information Sharing Act of 2015. Then, we briefly breakdown concerns that were raised when it was unexpectedly announced that funding for the Common Vulnerabilities and Exposures (CVE) program was a day away from expiring.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF Version: TLP WHITE Hacking Heathcare 4.24.2025
Size : 253 kB Format : PDF
Text Version:
Welcome back to Hacking Healthcare®.
CISA 2015 Reauthorization
Two months ago, Hacking Healthcare covered concerns that the Cybersecurity and Information Sharing Act of 2015 (CISA 2015) was set to expire in less than a year with no guaranteed path to reauthorization.[i] Fortunately, there has been some positive movement in the past few weeks worth noting.
Background
We invite you to review Hacking Healthcare from February 19 for a more comprehensive breakdown of what CISA 2015 is, but the brief version is that it is a law that encourages voluntary cyber information sharing between the government and the private sector and within the private sector itself. Importantly, CISA 2015 provides legal protections for those who receive and share information, provided it is done in accordance with its provisions.
The concern we raised in February was that CISA 2015 was signed into law with a provision for it to expire at the end of this September, and there was significant uncertainty that it would find the support it needed within the Trump administration or Congress to be reauthorized.
Updates
There have been a few developments since February.
First, a bipartisan bill to reauthorize CISA 2015 has been introduced in the Senate by Sen. Peters [D-MI] and Sen. Rounds [R-SD].[ii] Their Cybersecurity Information Sharing Extension Act would essentially reauthorize CISA 2015 for another 10 years. The bill has already received support from some industry groups, with the Bank Policy Institute and U.S. Chamber of Commerce lauding the effort.[iii]
Secondly, Congressional leadership in the House of Representatives’ Homeland Security Committee has agreed to review the bill as well. This will include a hearing by the Cybersecurity and Infrastructure Protection subcommittee sometime in May. However, while many Democratic lawmakers have been more outgoing and enthusiastic in their support for a CISA reauthorization bill, some Republican lawmakers have been more muted and cautious in their public statements.
CVE Program Funding Nearly Lapses
The cybersecurity community was briefly shocked last week when it became known that the CVE program’s U.S. government funding was days away from lapsing. While the Cybersecurity and Infrastructure Security Agency (CISA) ultimately executed an option to continue to fund the program, the close call may ultimately be the catalyst for significant changes.
What is the CVE Program?
The CVE program is a “voluntary, international, community-driven effort to identify, define, catalog, and share information about publicly disclosed cybersecurity vulnerabilities.”[iv] It has evolved significantly since its inception in 1999 and has become the “de–facto international standard for vulnerability identification and the backbone of the vulnerability management ecosystem.”[v] Over the past 25 years, its mission and capabilities have grown, and it is now supported by over 450 CVE Numbering Authority (CNA) partner organizations across the globe.[vi]
The CVE program ensures that organizations can quickly and easily identify a specific vulnerability despite potentially encountering it in different contexts with different tools, while also providing authoritative data about that vulnerability. The CVE program and its catalog act as the basis of numerous other cybersecurity efforts, such as national level vulnerability databases and advisories, tool vendors, incident response operations, and research programs.
What Happened?
Since its inception, the CVE program has been hosted by the not-for-profit MITRE Corporation and has received much of its funding from various sources within the U.S. government. In recent times, CISA has been the federal agency that has provided the funding needed to continue to operate the program, which some sources put at costing “tens of millions of dollars per contract.”[vii]
Early last week, the MITRE Corporation announced that it was a day away from its contract with the U.S. government expiring. The ramifications of the CVE program potentially running out of funding and ceasing operations would have significant negative impacts to how organizations manage vulnerabilities, and as a result, there was a swift and significant public reaction.[viii] Thankfully, prior to expiration, CISA announced it had identified funding and had actioned an 11-month extension. However, the close call has raised serious concerns about the long-term viability of the CVE program in its current form, as well as fears of a potential fragmentation of the ecosystem.
We will explore both the updates to CISA 2015 and fallout from the CVE funding scare in the Action & Analysis section.
Action & Analysis
**Available with Health-ISAC Membership**
Report Source(s)
Sources
[i] https://health-isac.org/health-isac-hacking-healthcare-2-19-2025/
[ii]https://www.congress.gov/bill/119th-congress/senate-bill/1337/cosponsors?s=4&r=12&q=%7B%22search%22%3A%22Peters%22%7D
[iii]https://insidecybersecurity.com/daily-news/industry-groups-praise-introduction-peters-rounds-bill-extend-information-sharing-law
[iv] https://www.cve.org/resourcessupport/allresources/cnarules
[v] https://www.cve.org/Resources/Media/Cve25YearsAnniversaryReport.pdf
[vi] As defined by the CVE program, CNAs “are vendor, researcher, open source, CERT, hosted service, bug bounty provider, and consortium organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage.” https://www.cve.org/programorganization/cnas
[vii] https://www.wired.com/story/cve-program-cisa-funding-chaos/
[viii]https://www.csoonline.com/article/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html
[ix] https://www.washingtonpost.com/politics/2023/10/18/lone-senator-stymies-cyber-legislation-senate/
[x] https://cyberscoop.com/cve-mitre-house-energy-and-commerce-committee/
[xi]https://embed.documentcloud.org/documents/4788035-082718-MITRE-Recommendations-for-CVE-Program-1/
[xii]https://www.csoonline.com/article/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html
[xiii] https://www.thecvefoundation.org/home
[xiv] https://www.thecvefoundation.org/home
[xv]https://portswigger.net/daily-swig/cve-board-slams-distributed-weakness-filing-project-for-publishing-unauthorized-cve-records
[xvi] https://euvd.enisa.europa.eu/
[xvii] https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng
- Related Resources & News