What the National Cybersecurity Strategy Means for Healthcare TPRM

On March 2, 2023, the White House released a new National Cybersecurity Strategy. The nearly 40-page document developed by the two-year-old Office of the National Cyber Director provides a roadmap for new laws and regulations aimed at helping the United States prepare for and fight emerging cyber threats. The strategy from President Joe Biden’s administration envisions "fundamental changes to the underlying dynamics of the digital ecosystem."

Five Pillars of the National Cybersecurity Strategy  

The plan includes five pillars that are further divided into strategic objectives. Here is a quick overview of what each of them entails:

1. Defend critical infrastructure: Regulatory frameworks will establish minimum cybersecurity requirements for critical sectors to increase confidence in the resilience of U.S. critical infrastructure. One of those critical sectors is healthcare. 
   
2. Disrupt and dismantle threat actors: With the support of private sector partners and international partners, the United States will work to combat the ransomware threat and disrupt malicious actors.
   
3. Shape market forces to drive security and resilience: Federal grant programs will encourage the development of secure infrastructure. Moreover, the responsibility for securing software products and services will be shifted away from individuals who are most vulnerable. The Administration is also supporting legislative efforts that enforce good privacy practices.
   
4. Invest in a resilient future: A diverse cyber workforce will be developed as part of this effort. Cybersecurity research and development for emerging technologies, such as post-quantum encryption, will be prioritized.
5. Forge international partnerships to pursue shared goals: The United States will work with allies and partners to improve supply chains for reliable and trustworthy information and communication technologies to counter cyber threats.

How Will the Strategy Affect Healthcare Third-Party Risk Management? 

Healthcare cyberattacks can compromise patient data, confidential medical records, and even cause life-threatening disruptions in critical care delivery. Healthcare stakeholders have called for the federal government to take protective actions to counter waves of ransomware attacks targeting hospitals and healthcare facilities. 

Many healthcare third-party risk management (TPRM) leaders, including members of the AHA, Health3PT, and HITRUST, have publicly praised the new strategy as a step in the right direction. It’s important to note that while the strategy doesn’t specifically refer to healthcare, it does categorize healthcare as critical infrastructure, and healthcare leaders are optimistic that the policy change will have a positive effect on preventing healthcare cyberattacks.

One of the key focuses of the strategy is vendor accountability. 

The strategy puts more responsibility on tech and software companies to ensure the security of their products. According to the Biden administration, cybersecurity liability should be shifted to "the owners and operators of the systems that hold our data and make our society function" and the technology providers that these owners and operators rely on. 

Healthcare TPRM leaders are citing three specific elements of the strategy that could impact TPRM in the healthcare sector:

• Increased TRPM Regulations. The regulatory requirements for third-party risk management will most likely grow. Considering the growing trend to compromise healthcare entities through their vendors, assessing and monitoring third-party security controls will become an additional regulatory requirement.
• Internet of Things Security Standards. Government collaboration with vendors to develop security standards for Internet of Things (IoT) devices, including medical IoT, will help healthcare organizations alleviate the burden of securing products after their implementation. According to the strategy, the Administration will collaborate with Congress and the private sector to develop legislation establishing software product and service liability.
• Data Collection Limits. Among the provisions in the strategy document are those that limit data stewards' collection and transfer of personally identifiable information (PII). One of the document's strategic objectives addresses the issue of protecting vulnerable populations from data misuse. 
  

These three elements will likely need to be incorporated into the vendor management lifecycle, depending on how the key provisions of the strategy are implemented.

Next Steps: Considerations 

The National Cybersecurity Strategy is a policy document, not an executive order. Still, it does represent a significant shift in attitude toward public-private partnerships that the government has discussed for years. The strategy outlines several initiatives that would need to be approved by Congress, such as increased funding for cybersecurity. However, political resistance to increased government spending and new regulations could make it difficult to enact these changes.

Further complicating the implementation of the strategic plan is the fact that federal law prohibits the federal government from enforcing cybersecurity requirements on state-run institutions. As a result of the upcoming implementation of the strategy, healthcare entities such as medical device manufacturers, pharmaceutical companies, and others are likely to be required to meet both existing standards and emerging best practices in cybersecurity. Currently, the details are still being written and published, so we’ll have to wait and see which strategic objectives will be implemented successfully.