This week, Hacking Healthcare™ examines a new report from the Cyberspace Solarium Commission 2.0 that assesses the state of healthcare cybersecurity in the U.S. and provides recommendations for public and private sector alike. We briefly detail the contents of the report before digging into some of the notable takeaways in the action and analysis section.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF Version:
TLP WHITE - 6.7.2024 -- Hacking Healthcare™
Text Version:
Welcome back to Hacking Healthcare™
Cyberspace Solarium Commission 2.0 Report Highlights Health-ISAC and Illustrates Healthcare Cybersecurity Maturity Challenge
Continuing the work of the influential Cyberspace Solarium Commission (CSC), the CSC 2.0 project has recently released a report detailing challenges facing the healthcare and public health (HPH) sector alongside 13 recommendations for improvements. Let’s review the issues they’ve highlighted and ways in which they believe they might be addressed.
What Is the CSC and the CSC 2.0 Project?
The CSC was “established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019.”[i] It led to the creation of a bipartisan group of Congress members and private sector experts who came together to develop a seminal report aimed at “develop[ing] a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.”[ii] The report itself is a thorough 182-page document consisting of over 80 recommendations across six distinct pillars.[iii]
While the CSC and its works have been impactful for helping to guide U.S. cyber policy over the years, it was not meant to last forever. As such, while the original CSC as outlined by the John S. McCain National Defense Authorization Act for Fiscal Year 2019 has been sunset, the CSC 2.0 project has taken the reins to “preserve their legacy and continue their work.”[iv]
CSC 2.0 Healthcare Report
The report opens with an overview of some of the well-known cyber challenges the HPH sector faces, some specific challenges to rural and small HPH entities, and some of the current government efforts to address these challenges. Additionally, the scene-setting section of the report champions the value of industry-led collaboration, where the efforts of Health-ISAC and Health Sector Coordinating Council (HSCC) are highlighted.
Citing a number of recent high-profile cyberattacks against U.S.-based healthcare organizations since 2021, the report “provides 13 recommendations directed at the executive branch, Congress, and the healthcare sector to guide the sector into a safer, more resilient future.”[v]
At a high level, the recommendations are:
Executive Branch
1. Develop New, Long-Term Sector-Specific Cybersecurity Objectives
2. Work With Industry to Identify, Prioritize, and Secure Life-Saving Services
3. Iteratively Update HHS’s Cybersecurity Performance Goals (CPGs)
4. Accelerate the CPG Compliance Incentivization Program’s Timeline
5. Create a Rural Hospital Cybersecurity Workforce Development Strategy
6. Reassess Systemically Important Entities List
Congress
7. Ensure Sector Risk Management Agency (SRMA) Resources and Organizational Structure Are Optimally Efficient
8. Increase Funding for HHS’s SRMA Capabilities
9. Fund HHS’s CPG Resourcing and Incentive Program
10. Direct and Resource HHS to Establish a Rural vCISO Pilot Program
Industry
11. Spend More on Cybersecurity
12. Provide Cyber Hygiene Training to All Employees
13. Develop Regional Contingency Plans for Healthcare Providers
While these are more thoroughly developed in the full report, we dig deeper into some of the notable aspects in the Action & Analysis section below.
Action & Analysis
**Included with Health-ISAC Membership**
Upcoming International Hearings/Meetings:
- – EU
No relevant meetings at this time
- – US
No relevant meetings at this time
- – Rest of World
No relevant meetings at this time