Governance & Risk Management , Healthcare , HIPAA/HITECH
Why HHS' Cybersecurity Goals Aren't Necessarily Voluntary
Kate Pierce of Fortified Health Security on Meeting Essential StandardsHealthcare sector entities need to focus their attention on meeting the "voluntary" essential and enhanced cybersecurity performance goals set out by federal regulators before those recommendations become regulatory mandates, said Kate Pierce, virtual information security officer at Fortified Heath Security.
Even cash-strapped healthcare entities could have a better shot at achieving the Cybersecurity Performance Goals set out by the Department of Health and Human Services if the fiscal 2025 budget proposal released on Monday by the Biden administration is approved, Pierce said.
"The budget earmarks $1.3 billion toward improving cybersecurity in the health sector, with about $800 million targeting our under-resourced organizations. This should give those entities a nice boost in getting started in putting in these minimum standards," she said in an interview with Information Security Media Group during the Healthcare Information and Management Systems Society 2024 conference in Orlando, Florida.
Essential cybersecurity performance goals set by HHS include mitigating known vulnerabilities; using email security, multifactor authentication, strong encryption and incident response planning; separating user and privileged accounts, addressing vendor and supplier risk; and offering cybersecurity training to employees.
The enhanced goals aim to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors, HHS said. Those goals address issues such as asset inventory, third-party vulnerability disclosures and incident reporting, and cybersecurity testing and mitigation.
Entities in the short term should at the very least ensure they are meeting the essential goals set by HHS before there are potential regulatory consequences for not implementing them, according to Pierce.
HHS is expected to be working on ways to enforce these goals, transitioning them from "voluntary" standards to requirements in the next few years, she said.
"We'll see what that looks like, but I would encourage organizations to start with these minimum goals and in meeting all of them," said Pierce.
"We all need to work together to ensure we're bringing up that minimum standard in order to ensure that the healthcare sector is no longer such an attractive target for cybercriminals."
In this audio interview with Information Security Group at HIMSS (see audio link below photo), Pierce also discussed:
- Battling malicious and accidental insider threats;
- The importance of effectively managing privileged accounts;
- The impact of the Change Healthcare attack on the healthcare sector and what comes next.
Pierce is senior virtual information security officer and executive director of the subsidy program at Fortified Health Security. She has over two decades of experience in healthcare with a specific focus on small, rural and not-for-profit healthcare organizations. Prior to joining Fortified Health, Pierce served as the longtime CIO and CISO at North Country Hospital, a 25-bed community hospital in Vermont.