This week, Hacking Healthcare begins with a brief run through of a new guidance document on supply chain security from the UK’s National Cyber Security Centre (NCSC) that coincides with an uptick in supply chain attacks. Next, we summarize a significant number of Biden administration cybersecurity efforts that are likely to impact the healthcare and public health (HPH) sector in both the short and long term within the US. This includes comments from the Deputy National Security Advisor, and excerpts from the recently released National Security Strategy and White House fact sheet on cybersecurity which all point to a changing cybersecurity landscape for the HPH sector.
Pdf version:Hacking Healthcare 10.19 V5 White
Welcome back to Hacking Healthcare.
1. Health-ISAC Monthly Threat Brief
As a reminder, next Tuesday the Health-ISAC will be holding its monthly Threat Brief. This hour-long presentation from the Health-ISAC staff and Health-ISAC partners briefs members on current and emerging technical, physical, legal, and regulatory threats to the HPH sector. The Threat Brief is private and free to Health-ISAC members.
2. UK NCSC Warns of Increase in Supply Chain Attacks
Supply chain attacks have gained prominence recently with malicious cyber actors often finding it easier to reach intended targets through less well defended suppliers. Following a recent spate of supply chain attacks, the UK’s NCSC has issued fresh guidance designed primarily for medium and larger organizations to help “assess the cyber risks of working with suppliers and gain assurance that mitigations are in place.”
The freely available 29-page document provides an accessible framework for organizations to follow. Helpfully, the NCSC approach is organized into five stages that includes what to consider before embarking on your journey to assess and mitigate supply chain risk and how to continuously improve after you’ve implemented your plan. The five stages are:
- Before you start
- Developing an approach to assess supply chain cybersecurity
- Applying the approach to new supplier relationships
- Integrating the approach to existing supplier relationships
- Continuously improving
Taken together, these steps combine to help organizations “gain confidence in [their] supply chain cybersecurity.”
The document was written with “procurement specialists, risk managers and cybersecurity professionals wanting to establish (or improve) an approach for assessing the cybersecurity of their organisation’s supply chain” in mind, but it can be helpful to anyone looking to understand a fairly strategic and high-level way of implementing a supply chain security strategy.
Action and Analysis
3. Biden Administration National Security Strategy and Critical Infrastructure Announcements
Cybersecurity awareness month appears to be living up to its name with the Biden administration making a number of notable announcements that have summarized recent administration cybersecurity efforts, while also outlining where they plan on focusing their energy going forward.
Administration Fact Sheet
On October 11th, the White House published a fact sheet entitled Biden-Harris Administration Delivers on Strengthening America’s Cybersecurity. Predictably, the administration’s first focus is on improving the cybersecurity of critical infrastructure sectors, with healthcare specifically mentioned. Performance-based directives and cybersecurity performance goals were the throughline here, and they were cited as one area that will see continued effort.
Additionally, the fact sheet touched on the Biden administration’s increasingly broad international engagement. There appears to be a sustained effort to work with foreign partners to counter malicious cyber threats and support cyber norms, such the avoidance of targeting critical infrastructure.
However, the most notable aspect might be the announcement of an effort to create a cybersecurity labeling scheme for IoT devices. Details are sparse at the time of writing, but this initial labeling effort does not seem to extend to medical devices.
Critical Infrastructure Focus Expands
While the energy and transportation sectors have seen a bit more tailored focus in recent months, it appears those efforts are broadening to a wider range of critical infrastructure sectors. Speaking at an event last week, the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, announced that healthcare, water, and communications were set to receive increased attention. While specific details were not forthcoming, she is quoted as saying that Health and Human Services (HHS) will be “with partners at hospitals to put in place minimum cybersecurity guidelines, and then further work upcoming thereafter on devices and broader healthcare as well.”
National Security Strategy
Finally, the Biden administration also released an updated National Security Strategy. The National Security Strategy is a document that outlines the issue areas that are of particular concern from a national security perspective and then briefly describes how the administration is or is planning to address them. Cybersecurity issues have increasingly been cited in recent years and this most recent strategy document was no exception.
The document calls out the threat of cyberattacks on national health systems and the importance of improving the security and resiliency of critical infrastructure sectors from cyber threats. Included in this was the reiteration that they “are working closely with allies and partners, such as the Quad, to define standards for critical infrastructure to rapidly improve our cyber resilience.”
Additionally, the document suggested that the administration may be more aggressive and proactive in responding to cyber threats by saying “We aim to deter cyberattacks from state and non-state actors and will respond decisively with all appropriate tools of national power to hostile acts in cyberspace, including those that disrupt or degrade vital national functions or critical infrastructure.”
Action and Analysis
Tuesday, October 18th:
– No relevant hearings
Wednesday, October 19th:
– No relevant hearings
Thursday, October 20th:
– No relevant hearings
– No relevant meetings
Conferences, Webinars, and Summits
Contact us: follow @HealthISAC, and email at email@example.com
About the Author
Hacking Healthcare is written by John Banghart, who served as a primary advisor on cybersecurity incidents and preparedness and led the National Security Council’s efforts to address significant cybersecurity incidents, including those at OPM and the White House. John is currently the Senior Director of Cybersecurity Services at Venable. His background includes serving as the National Security Council’s Director for Federal Cybersecurity, as Senior Cybersecurity Advisor for the Centers for Medicare and Medicaid Services, as a cybersecurity researcher and policy expert at the National Institute of Standards and Technology (NIST), and in the Office of the Undersecretary of Commerce for Standards and Technology.
John can be reached at firstname.lastname@example.org and email@example.com.