This week, Hacking Healthcare examines the newly published United States National Cybersecurity Strategy. After briefly summarizing the structure and primary engagement areas, we dive into which kinds of impacts the strategy may have on the healthcare sector.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
TLP WHITE - 3.16.2023 -- Hacking Healthcare
Welcome back to Hacking Healthcare.
U.S. National Cybersecurity Strategy
The Biden-Harris administration recently released their National Cybersecurity Strategy on March 2, 2023. The new strategy, the first since 2018, builds on President Biden’s earlier cybersecurity efforts and is partially shaped by the SolarWinds, Colonial Pipeline, and JBS attacks.[i] While devoid of specific action items, the strategy signals the lines of effort that the administration is prioritizing, and more than a few are expected to have significant impacts on the healthcare sector.
The strategy is based around five key pillars of interest that sets goals for the next decade of investment and cooperation in cyberspace. The strategy is unique in that it seeks to adjust how the government prioritizes and allocates roles, responsibilities, and resources in cyberspace.[ii] While not wholly divergent from previous strategies and existing initiatives, the new national cybersecurity strategy does emphasize two important distinctions.
First, it recognizes the need to shift the burden of cybersecurity responsibility from small businesses and individuals to those who have the resources and capacity to take it on. In this regard, the document states that “our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.”[iii]
Secondly, the strategy also affirms the need to focus on building a digital ecosystem that is “more resilient and defensible over the long term.”[iv] The strategy outlines how this shift encompasses adjusting market forces, attending to the workforce shortage, embracing secure by design principles, and promoting strategic coordination. Notably, it states that the federal government’s actions will prioritize “minimally invasive actions.”[v]
The Administration recognizes that these themes will not be achieved without public-private cooperation and encourages the private sector to assume its share of responsibility alongside the government.
The National Cyber Strategy is broken down into the following five pillars, each with their own strategic objectives:
Defend Critical Infrastructure
In order to ensure the safety and security of the nation’s critical infrastructure, the Administration sets out goals to establish cybersecurity requirements that directly support national security and public safety. This includes encouraging harmonizing new and existing regulations while enabling regulated entities to afford security. This pillar also highlights scaling public-private collaboration, integrating federal cybersecurity centers, updating federal incident response plans and processes, and modernizing federal defense systems.[vi]
Disrupt and Dismantle Threat Actors
This pillar’s strategic objectives include integrating the deployment of federal disruption activities and enhancing public-private operational collaboration to disrupt adversaries.[vii] In order to achieve these goals, this pillar notes that increasing the speed and scale of intelligence sharing and victim notification are integral as well as make it easier for victims to report abuse. This pillar is targeted at countering cybercrime with a specific focus on defeating ransomware, which has been the cause of so many recent largescale disruptions.
Shape Market Forces to Drive Security and Resilience
In order to address the security and resiliency of America’s digital ecosystem, the strategy says it is necessary to hold the “stewards of our data” accountable.[viii] Other strategic objectives within this pillar include securing IoT devices, shifting liability for insecure software products and services, leveraging federal grant money to build secure-by-design, federal procurement to improve accountability, and exploring a federal cyber insurance backstop.
Invest in a Resilient Future
Financing and long-term investments are key elements in ensuring the nation’s cybersecurity. This pillar’s strategic objectives highlight the need to secure the technical foundation of the internet, reinvigorate federal research and development in cybersecurity, and strengthen the cyber workforce. This pillar also specifically addresses supporting a digital identity ecosystem, a clean energy future, and a post-quantum future.
Forge International Partnerships to Pursue Shared Goals
In order to counter threats against the digital ecosystem, this pillar seeks to build coalitions with a diverse group of partners around a democratic vision of cyberspace. It desires to strengthen the capacity for international partners, expand the U.S.’ ability to assist its allies, reinforce global norms of responsible state behavior, and secure global supply chains for information, operational technology products, and services.[ix]
In terms of implementation, the Office of the National Cyber Director (ONCD) is now tasked with working with the Office of Management and Budget (OMB) to coordinate the implementation of the pillars.
Action & Analysis
**Included with Health-ISAC Membership**
Tuesday, March 14th:
– No relevant hearings
Wednesday, March 15th:
– No relevant meetings
Thursday, March 16th:
– Senate – Homeland Security and Governmental Affairs Committee: Hearings to examine the cybersecurity risks to the healthcare sector
– No relevant meetings