TLP White: This week, Hacking Healthcare asks readers to start thinking about cyber-physical incidents and how prepared your organization is to deal with the consequences. Next, we break down the recent announcement that China is unveiling their own global data security initiative and what might be expected as a result. Finally, we briefly examine how the Department of Homeland Security’s (DHS) new Binding Operational Directive, which requires government agencies to adopt a Vulnerability Disclosure Policy, affects the healthcare sector.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)


Please give us a minute of your time to answer a few questions about this week’s Hacking Healthcare topics. We’ll publish the results in an upcoming issue. Survey link follows the articles below.



Welcome back to Hacking Healthcare.


1. Time to Start Thinking About Cyber-Physical Liability.

As the distinction between the cyber and physical world increasingly blurs, organizations are likely to face new challenges related to new liabilities, rules, and regulations for cyber-physical incidents. According to Gartner, these legal and regulatory changes are likely to occur rapidly due to the serious nature of the potential consequences.

Among the more eyebrow raising predictions Gartner makes is the claim that 75% of CEOs could be held personally liable for cyber-physical incidents by 2024. Gartner predicts that it will be increasingly difficult for CEOs to “plead ignorance or retreat behind insurance policies.”[1] Additionally, they predict that there will be a swift uptick in cyber-physical incidents due to a lack of planning and expenditure in this area. Most worrisome is their analysis that the financial impact of cyber-physical incidents resulting in fatal casualties will pass $50 billion by 2023.[2]

Gartner also cited the concern that many organizations are not fully aware of all the cyber-physical systems that they already have deployed. In commenting about the need to address these issues, Gartner’s research vice president, Katell Thielemann, called on technology leaders to help CEOs understand the threat of cyber-physical incidents and the need to establish “Operational Resilience Management (ORM) beyond information-centric cyber security.”[3]

Action & Analysis
** Membership required **


2. China Unveils its Global Data Security Initiative.

On Tuesday morning, it was announced that China intends to launch a global data security initiative. According to the Global Times, this initiative is touted as a potential worldwide standard for data security and alleges to address some of the oft-cited concerns governments and corporations have had with regards to data privacy and security in China.[4]

The Global Times reports that the initiative is made up of eight proposals. Reporting suggests that initiative includes or supports the following points:[5], [6]

  • States [should] handle data security in a comprehensive, objective and evidence-based manner
  • [Opposition] to ICT activities that use data to conduct activities that undermine other states’ national security and interests
  • [Opposition] to mass surveillance against other states
  • States should not request domestic companies to store data generated and obtained overseas in their own territory
  • States should respect the sovereignty, jurisdiction and governance of data of other states, and any bilateral data access agreement should not infringe upon the judicial sovereignty and data security of a third state
  • ICT products and service providers should not install backdoors in their products and services to illegally obtain user data, or control or manipulate users’ systems and devices
  • ICT companies should not seek illegitimate interests by taking advantage of user dependence on their products, nor force users to upgrade their systems and devices

Zhao Lijian, a Chinese Foreign Ministry spokesperson, is alleged to have stated that “the initiative aims to safeguard global data and supply chain security, promote the development of the digital economy, and provide a blueprint for the formulation of global rules.”[7] Additionally, Chinese government officials are said to have made several thinly veiled rebukes to the United States’ foreign policy on these matters. It is currently unclear just how much global support exists for this initiative.

Action & Analysis
** Membership required **


3. Government Vulnerability Disclosure Gets A Boost.

Last Wednesday, The Cybersecurity and Infrastructure Security Agency (CISA) under DHS released a long-awaited Binding Operational Directive (BOD) on vulnerability disclosure policies (VDPs) for the federal government. BOD 20-01 gives government agencies six months to “establish VDPs that forswear legal action against researchers who act in good faith, allow participants to submit vulnerability reports anonymously and cover at least one internet-accessible system or service.”[8]

As a reminder, BODs are “a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems” that may be issued by DHS.[9] This particular BOD comes with DHS’s recognition that “vulnerability disclosure policies enhance the resiliency of the government’s online services” and are “an essential element of an effective enterprise vulnerability management program.”[10]

For agencies that do not have much experience in crafting a vulnerability disclosure policy, BOD 20-01 helpfully outlines the various requirements, provides guidance on implementation, and even links to a VDP template. While VDP establishment in the federal government has been slow thus far, this compulsory directive with clear implementation instructions should help speed up VDP adoption.

Action & Analysis
** Membership required **




Please take one minute to answer a few questions about this week’s Hacking Healthcare by visiting this link:






Tuesday, September 9th:

– Senate – Committee on Health, Education, Labor, and Pensions: Hearings to examine vaccines, focusing on saving lives, ensuring confidence, and protecting public health.


Wednesday, September 10th:

– No relevant hearings


Thursday, September 11th:

– No relevant hearings




International Hearings/Meetings


– No relevant hearings



EU –

Wednesday, September 10th:

– European Parliament – Committee on the Environment, Public Health, and Food Safety


Thursday, September 11th:

– European Parliament – Committee on the Environment, Public Health, and Food Safety





Sundries –


Ransomware hits two state-run organizations in the Middle East and North Africa

France warns of Emotet attacking companies, administration

Microscopes Powered by Google’s AI Could Change Cancer Diagnostics




Conferences, Webinars, and Summits


Contact us: follow @HealthISAC, and email at












Translate »