Cybersecurity Executive Order: Lessons for Healthcare?Experts Say Use of NIST Framework, Involvement of Senior Leadership Critical
President Trump's recently signed cybersecurity executive order, which requires federal agencies to use the cybersecurity framework developed by the National Institute of Standards and Technology, highlights strategies some security experts would like all healthcare organizations to follow as well.
Trump's May 11 executive order also places responsibility for cybersecurity on departmental secretaries and agency directors and emphasizes the use of risk management throughout the federal government to secure digital assets (see Trump Finally Signs Cybersecurity Executive Order).
Some healthcare information security experts say the executive order includes common-sense measures that hospitals, clinics and others should adopt.
"My initial reaction to the EO is that it is a good path toward improving the way cybersecurity will be handled more consistently," says Curt Kwak, CIO at Proliance Surgeons, a large surgery practice based in Washington state, and former CIO of the state's health insurance exchange under the Affordable Care Act. "Having a single framework as a baseline is always a good thing, especially when you are talking about a mandate of aligning with NIST."
Proliance Surgeons uses the NIST framework as a guidelines for its security assessments, Kwak says. "I personally think this is a good thing as I see potential of improving the understanding and practice of cybersecurity best practices."
But in the healthcare sector, use of the NIST framework is encouraged, not mandated. Thus, many organizations often skip over adopting those more robust security practices in favor of less rigorous HIPAA compliance.
"Regarding cybersecurity of healthcare systems as a component of the 'critical infrastructure,' it may be worthwhile to note that federal security regulations, including NIST guidance, have always been conveniently available to the private sector," says Dixie Baker, senior partner at the consulting firm Martin, Blanck and Associates.
"However, federal healthcare systems require much stronger security protection than the HIPAA Security Rule requires. ... So even when private healthcare organizations are made aware of these stronger protections [called for by NIST], they generally are rejected, usually due to cost or convenience considerations," Baker says. She served for several years as a member of the Health IT Standards Committee, the now disbanded federal advisory committee.
Mac McMillan, president of the security consultancy CynergisTek and a former Department of Defense information security director, says he'd like to see the federal government expand the mandated use of the NIST framework to all regulated industries, including healthcare.
McMillan notes that at a recent industry security and privacy conference, "someone ... opined that we won't see real commitment to cybersecurity until they start walking executives to the door when breaches occur."
So he was happy to see the executive order's call for holding departmental and agency leaders responsible for cybersecurity, although he would have liked to see more specifics. "Without specificity that can be measured, holding leaders accountable will not be easily done. ... When we start holding C-level executives accountable for cybersecurity readiness you'll see meaningful change." (See Has Cybersecurity Been Overstudied?)
Baker notes that recent surveys have indicated that information security is getting C-level attention in private healthcare organizations. "However, although the healthcare industry seems to be taking the need for security risk management more seriously than they have in the past, and even increasing the budgets allocated for security, they still are implementing primarily basic security measures that most federal agencies implemented a decade ago," she contends.
Among the executive order's weaknesses, McMillan says, is that it "doesn't address the growing list of insecure technologies being introduced into healthcare enterprises as a result of a lack of a standard for cybersecurity certification," McMillan says, referring to national public health critical infrastructure. "Twenty years ago, when I retired from DoD, we had approved lists of hardware and software that had met our standards to be connected to a secure network."
Kwak says he's uncertain whether changes in the cybersecurity strategies of federal agencies could influence the strategies of healthcare organizations. "As far as how this may impact the healthcare sector, there's just too many variables out there to even begin speculating the impacts," he says.