Among the many impacts of the ongoing government shutdown could be an increased cybersecurity threat to hospitals nationwide, especially smaller facilities that rely on government resources. The longer the shutdown continues, the greater the danger of ransomware attacks and delayed cyber alerts, which could threaten patient safety or potentially impact the delivery of some health system services, according to an Oct. 8 blog post by 3B Healthcare.
CISA legislation paused
The Sept. 30 end to the federal fiscal year also ended the 2015 Cybersecurity and Infrastructure Security Agency Sharing Act, known as CISA 2015, Healthcare IT News reported on Oct. 7. That legislation originally set out to strengthen cybersecurity resilience “by setting up a framework for organizations to share threat indicators and other security intelligence with the feds and with each other,” Andrea Fox wrote in the article. “To encourage private companies to report information about potential cybersecurity threats, CISA 2015 also offered protections from some regulatory enforcement and certain liabilities that could arise from such sharing.”
With the legislation lapsed, some lawmakers and security analysts are concerned that a crucial pipeline of threat intelligence information will slow dramatically, Fox wrote, putting many health systems and other organizations partly in the dark against quickly evolving cybersecurity threats. For example, some companies may avoid sharing information without the protections offered by CISA 2015. However, threats can be reported anonymously to the Health Information Sharing and Analysis Center (Health-ISAC), a nonprofit organization that shares information about threat intelligence and best practices with health care organizations.
With the number of ransomware incidents continuing to increase, the shutdown could make some health care facilities, especially smaller ones, more vulnerable to cyberattacks, Errol Weiss, chief security officer at Health-ISAC, told BankInfoSecurity in early October.
“Smaller hospitals and clinics often rely on free federal resources like CISA’s Cyber Hygiene scanning service. These organizations lack the extensive in-house cyber staff and budget of larger hospital systems,” he said.
Medical device manufacturers and health IT providers can also be at risk, as they, too, depend on federal agencies for regulatory guidance and information about patches that need to be installed to continue protecting their devices and products, the article said. Meanwhile, health care organizations are being encouraged to contact their product vendors, colleagues or the Health-ISAC for any news about cyber threats and product support.
Staffing shortages and cyber risks
Of CISA’s 2,540 employees, only 35% have remained active during the shutdown, the 3B Healthcare post said. The agency typically provides critical alerts, vulnerability updates and defense recommendations for health care systems. But with limited staffing, these services have been delayed or reduced, according to the post.
The remaining employees are being asked “to do more and more work protecting American cyberspace,” Richard Forno, director of the University of Maryland, Baltimore County, Graduate Cybersecurity Program, wrote for The Conversation on Oct. 7. “The cyberdefense agency is being hobbled at a time when the need for its services has never been greater.”
In addition to cybersecurity across the federal government, CISA also works with companies that operate critical infrastructure such as phone networks, the electric grid and energy pipelines, he wrote. It also supports state and local governments in securing their data and networks.
“Unfortunately, adversaries do not reduce their attacks against the U.S. based on available federal cyber defense funding or the status of cybersecurity laws,” Forno wrote. “In fact, malicious hackers often strike when their target’s guard is down.”
Roughly 41% of the Department of Health and Human Services workforce has been furloughed, with only staff deemed “mission critical” (essential to human safety or property protection) remaining active, the 3B Healthcare post noted. During this time, proactive cybersecurity measures such as training, threat analysis and interagency coordination are largely frozen, and health care providers may not receive timely guidance or support for any new vulnerabilities that appear, the post said.
When the shutdown ends, affected agencies will still need time to reboot. Uncertainty about cyber issues affecting the health care sector could continue, including whether the CISA Act of 2015 is renewed, Mari Savickis, head of government relations for the College of Healthcare Information Management Executives, told BankInfoSecurity.
Story ideas
- Interview hospital chief information security officers or other health IT staff about how the shutdown is impacting them, and what they are doing in the meantime to protect their institutions.
- Chat with the Health-ISAC about the types of resource requests they are getting from hospitals during the shutdown, how they are helping, or what other resources they are offering.
- Interview manufacturers of medical devices used in hospitals about their concerns and how they are handling the shutdown.
Resources
- Is the government shutdown impacting info sharing for healthcare cyber threats? – Healthcare IT News.
- Experts: Shutdown Strains Healthcare Cyber Defenses – BankInfoSecurity.
- Federal shutdown deals blow to already hobbled cybersecurity agency – Tech Xplore on MSN.
- Government shutdown leaves U.S. cyber defenses weaker, insiders say – Forbes.
- Federal Shutdown Threatens Health Care Cybersecurity Readiness – Integrated Healthcare Executive.
- Government Shutdown Threatens Healthcare Cybersecurity: Experts Warn of Rising Risks – 3B Healthcare.
