Industry Regulations

Three months after the Biden administration mandated formation of a national cybersecurity safety board, staffing by DHS and the attorney general is about complete. Indiana University's Scott Shackelford and former NTSB chairman Christopher Hart detailed the potential during a Black Hat virtual session, but also its complications.

President Biden announced a new government initiative to improve the cybersecurity of critical infrastructure and instructed federal agencies to develop cybersecurity goals infrastructure might aim to reach.

In health care, there's a longstanding debate on whether incentivizing providers could improve the sector's overall cybersecurity posture. Leaders from PC Matic, HSCC, NTT, Rapid7, Fortified Health Security, Veeam, and the AbedGraham Group make the case for – and against – using incentives to improve cyber hygiene and reduce the risk of cyber threats to patient safety.

In 2022, HHS will launch its nationwide interoperability framework known as TEFCA. As additional agency efforts continue to fuel data sharing in the health care sector, privacy and security concerns tied to potentially overlapping standards.

The security directive follows a similar action in May as part of the Biden administration's efforts to respond to a destabilizing ransomware attack on the Colonial Pipeline.

Instead, Centers for Medicare and Medicaid Services policies and procedures rely on the enterprise risk management processes from the Department of Health and Human Services, rather than its own requirements.

The same regulations that require swift reporting of breaches demand only modest details to be delivered to customers. That leaves health care organizations to decide for themselves how transparent they choose to be – and to manage the consequences of those decisions.

Industry groups are concerned that contractors may lack crucial details, context and authority for reporting requirements in the cyber executive order.