HHS Responds to Federal Cybersecurity Mandates
The US Department of Health and Human Services (HHS), at the urging of two presidential executive orders and a portion of the Cybersecurity Act of 2015, is working to develop a stronger cybersecurity infrastructure.
On May 11, President Trump signed an executive order instructing HHS and other federal agencies to conduct a risk assessment of the agency’s cybersecurity capabilities, and identify vulnerabilities that could damage public health. Another executive order by President Obama in 2013 classified HHS as one of 16 “critical infrastructure” sectors that must be secured from cybersecurity threats. The newest executive order requires HHS and other federal agencies to conduct a full risk assessment within 180 days, and requires each agency head to provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget within 90 days.
In their risk assessments, the federal agencies must adhere to the National Institute of Standards and Technology (NIST) cybersecurity framework. However, some security experts say the order’s time table is unrealistic.
“Unless they decide to be a bit more specific regarding risk, any ‘risk report’ that comes from a high level division of the government will probably be a picture of a guy with his head on fire, and 600 pages of screaming,” Dan Tentler, founder of security firm Phobos Group told ZDNet.
In a recent cybersecurity workshop held at NIST, HHS’s chief information officer, Julie Anne Chua detailed how her agency is taking steps to comply with the 2015 Cybersecurity Act. The law requires the development of “a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes that [will] serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations,” Cyber Scoop reported.
In response to those requirements, Chua said HHS is “leveraging its public-private partnership model,” and working with NIST to put the task group together.
“We need providers, operators, actual folks on the ground… robust intra-sector cooperation,” Chua said, according to Cyber Scoop.