At a glance.
- US HHS issues healthcare sector cybersecurity guidelines.
- Belgium and Slovenia join the EU’s cyber rapid response force.
- Senate Intelligence Committee chair speaks on Section 207 and public trust.
US HHS cybersecurity framework.
The US Department of Health and Human Services’ Administration for Strategic Preparedness and Response has released a cybersecurity guide for the healthcare and public health sector. Created by the Health Sector Coordinating Council’s Joint Cybersecurity Working Group in conjunction with the Government Coordinating Council and Sector Coordinating Council’s, the purpose of the guide is to help health sector organizations to better understand and execute the recommendations in the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. The document aims to help these organizations evaluate their cybersecurity posture and adopt practices that will meet NIST’s standards.
The guide states, “To be effective in today’s constantly evolving threat and regulatory compliance landscape, health care organizations must adopt an approach that goes beyond the threats, vulnerabilities and controls du jour and helps communicate how cybersecurity investments result in meaningful risk reduction.” Topics covered include the seven steps of framework implementation; a table of inputs, activities, and outputs for those steps; additional resources that can be used to enhance cybersecurity practices; and a plethora of indices detailing everything from a glossary of terms to instructions on creating a communication plan.
Bryan Cline, Chief Research Officer at HITRUST, who also co-chairs theHealth Sector Coordinating Council (HSCC) Cybersecurity Working Group Risk Assessment Task Group, wrote, “The ongoing and sustained leadership across the private and public sector on this important work is critically important to health care organizations seeking to manage cyber risk, identify opportunities for improvement, and leverage risk analysis principles critical to the HIPAA Security Rule alongside the NIST Cybersecurity Framework. This update of the guide, first published in 2016, continues to support control framework-based risk analysis which is a NIST-based process that allows organizations to take advantage of comprehensive, risk-based Informative References such as NIST SP 800-53 and the HITRUST CSF to greatly simplify the HIPAA risk analysis requirement.”
Robert Booker, Chief Strategy Officer at HITRUST, added that organizations should find the guide valuable in demonstrating alignment with applicable frameworks. “The implementation guide is valuable for health care organizations seeking to demonstrate alignment with the NIST Cybersecurity Framework and that work with suppliers, customers, and regulators across multiple industries," Booker wrote. "This is especially timely given the recently announced national cybersecurity strategy from the Biden Administration. Healthcare regulated entities like all critical infrastructure industries may anticipate requests from regulators to further demonstrate mature cybersecurity. The use of this implementation guide and the NIST Cybersecurity Framework can serve as the basis for assessing and demonstrating the presence of controls across the enterprise and evidence of active and consistent control maturity as the NIST Cybersecurity Framework is acknowledged as Recognized Security Practices, along with Health Industry Cybersecurity Practices (HICP), by the HHS Office of Civil Rights guidance in response to the 2021 HITECH Act.”
Belgium and Slovenia join the EU’s cyber rapid response force.
Yesterday Belgium and Slovenia officially became members of the Lithuania-coordinated cyber rapid response force, part of the EU's Permanent Structured Cooperation (PESCO) Cyber Rapid Response Teams And Mutual Assistance In Cyber Security project, the Baltic Times reports. Established in 2018, the team’s purpose is to help execute coordinated cyberincident response and prevention. Lithuania’s National Defense Minister Arvydas Anusauskas issued a statement saying, "Congratulations to Belgium and Slovenia on joining this cyber security initiative. Hostile cyber activity levels have increased since the outbreak of the war in Ukraine. In times like these, our joint efforts to mitigate the growing threats are of utmost importance.” The force is rounded out by the other existing team members: Croatia, Estonia, Lithuania, the Netherlands, Poland, and Romania.
Senate Intelligence Committee chair speaks on Section 207 and public trust.
While attending the US Senate Intelligence Committee’s annual worldwide threats hearing on Wednesday, Senator Mark Warner spoke about the importance of trust when it comes to the Biden administration’s efforts to reauthorize Section 702 of the Foreign Intelligence Surveillance Act. Warner, who is also chair of the committee, stated, “I personally believe [in] the value of 702, but we're going to have to lean in on being willing to have the same kind of courage of declassification” about the spying program’s value in order to make the case for its renewal to the public and “skeptical members of Congress.” As the Record by Recorded Future explains, Section 702, which allows the National Security Agency to access digital traffic of overseas targets without a warrant, expires at the end of this year, and the Biden administration last week began its campaign to renew the measure. Opponents of the measure argue that it violates citizens’ rights to privacy, and they’ve expressed frustration about the intelligence community’s inability to discuss the intricacies of 702’s usage due to the classified nature of many of the missions it has authorized. Warner emphasized the need for transparency, stating that this lack of communication would do nothing to sway 702’s opponents. “That is not the kind of collaboration, cooperation that we expect and it will tie and restrain our ability to kind of make this kind of trusting relationship with the non-members of this committee on issues like 702,” Warner stated.