Why the Rosen-Cassidy Healthcare Cybersecurity Act May Fail
The Senate Homeland Security and Governmental Affairs Committee, who has authority over the Cybersecurity and Infrastructure Security Agency (CISA), has introduced the Healthcare Cybersecurity Act to strengthen America against Russian cyber-threats.
Background on the Healthcare Cybersecurity Act
On March 24th, 2022, US Senators Jacky Rosen and Bill Cassidy announced their bipartisan Healthcare Cybersecurity Act which would:
- Require CISA and Health and Human Services (HHS) to collaborate, including agreeing to improve cybersecurity in the Healthcare and Public Health Sector, as defined by CISA.
- Authorize cybersecurity training for Healthcare and Public Health Sector asset owners and operators on cybersecurity risks and ways to mitigate them.
- Require CISA to conduct a detailed study on specific cybersecurity risks facing the Healthcare and Public Health Sector, including an analysis of how cybersecurity risks specifically affect healthcare assets, an evaluation of the challenges healthcare assets face in securing updated information systems, and an assessment of relevant cybersecurity workforce shortages.
Senator Jacky Rosen, the Democrat from Nevada and member of the Affairs Committee, feels the need to act. 47% of the people in Nevada had their Healthcare data stolen last year.
Bill Cassidy, MD, the Republican senator from Louisiana and member of the Senate Health, Education, Labor, and Pensions (HELP) Committee gets it. Only 1.2 % of the 2021 data breach affected his state, yet as a medical doctor, he understands how quickly it can spread.
Considering the 50 million Americans who had their healthcare data breached last year, the bill is timely.
Among many concerns within the Healthcare industry, the drastic increase in personal devices gathering detailed information makes healthcare attractive to cyber-criminals who seek data worth 50 times that of financial information.
Support from the White House and the American Hospital Association (AHA)
The bill aligns with both the Biden-Harris recent call-to-action that the private sector strengthens their defenses in preparation for Russian cyber-attacks and the AHA urging healthcare organizations to ensure their cyber resiliency is up to the strength needed to avoid such attacks.
The American Hospital Association Recommendations
The AHA implores organizations to:
- Build IT awareness across the organization and IT teams
- Monitor traffic and educate staff
- Geo-fence traffic to and from Russia
- Prioritize mission critical services and technology
- Develop 4-to-6-week business continuity plans and rehearse them
- Segment networks, back them up, and assess the back-ups
- Confirm generators work, are redundant, resilient, and have fuel reserves
- Build a leadership-level cyber-response plan and rehearse it
Currently, WhisperGate, HermeticWiper, and PrintNightmare are the chief threats able to disrupt critical services. That includes their ability to do an end-run around Two-
Factor Authentication and achieve inner network access.
The best defense comes from the work of CISA and their Shields Up campaign. Despite the Star Trek reference, CISA has gathered intelligence on the Russian threat and has a detailed plan of action along with a direct line (888.282.0870) to report cyber incidents quickly so they can share them in their Vulnerabilities Catalog.
In addition, CISA has created free tools and services to aid in:
- Reducing potentially damaging intrusions
- Detect intrusions
- Ensuring that companies can respond if one occurs
- Maximizing resiliency
- And understanding the Russian State-Sponsored threats to US infrastructures
The Top 3 Reasons America May Not Succeed
The US may not be able to prevent the destruction endured by those already attacked, like Ireland. Unlike Ireland, the US has no public purse. In the US, top nonprofit health system executives each made $7 million or more. However, sufficient cybersecurity budgets do not exist for 41% of those surveyed for this year’s HIMSS cybersecurity survey. Of those with budgets, they total 6% or less.
Budgets for Cybersecurity are not a priority
- Over 73% of those surveyed reported having legacy operating systems that have reached obsolescence (Windows Server 2008, Windows 7, legacy medical device OS, industrial control system OS, Windows XP, and Windows Server 2003 and 2003 R2). These systems are unsupported and lack available patches, making them highly vulnerable.
- One third of respondents reported that their budgets are not changing. 27% have nothing specified for cybersecurity in their IT budgets.
Staff must resort to high-risk workarounds to get their jobs done
- Staff compliance (43%) is the second challenge. It tells the real story about the effect of privately held health systems — we neglect our public health.
- Policy compliance is difficult because policies are not updated and have outdated procedures hindering the day-to-day workflow. Exceptions are granted inconsistently.
- Audits are done but not integrated into an active governance policy. When audits trigger change, things improve. When they are shelved, nothing changes.
Public health is not prioritized
COVID-19 reminded us of a time-tested meme; “Nobody expects to get rich going into public health, but when something goes wrong, they are the ones held accountable.”
While COVID-19 was tragic, it was only the first bitter pill. The next pill we will swallow will be the cyber one Jason Weiss brought out of the shadows.
Where Agio Is in All This
In short, we support the Act but believe it must go much further to protect American Healthcare.
Our Extended Detection & Response (XDR) service recognizes today’s cyber-climate is burning out even highly skilled security analysts, whether they are in-house or not. Without XDR, organizations have more notifications, alerts, and alarms than can be managed.
To resolve that situation, our AI-
XDR’s real value is eliminating burn-out and keeping organizations running efficiently through dashboards that orchestrate and combine data from the competitive tools.
We are aligned with CISA and support collaboration in a federated system. By sharing data, CISA speaks about attacks in near real-time with potentially affected peers. Sharing details on an attack reduces the attack on others.
Healthcare infrastructure is no different than an infrastructure of bridges. When a bridge crumbles, cars find a workaround. When a hospital is attacked, people die — even those outside the building. Everyone with a medical device is affected when a Healthcare network collapses.
The Rosen-Cassidy bill is a heroic effort, but it needs money from the Infrastructure Act to support the Herculean efforts it will take to make us safe. America does not have the Healthcare social blueprint of Ireland, yet it will be attacked by Russian forces in the same way. Private budgets need to refocus on cybersecurity. Simulation exercises must become routine, penetration tests must become a habit, and sharing information must be commonplace.
Our three critical keys to protecting your organization’s data
- The AGIO Security Risk Assessment
- The Penetration Test
- Our XDR experts – folks who love lots of data and enjoy challenges
Ready to improve your cybersecurity strategy? Contact us. We can help.
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.