States Filling Federal Healthcare Cybersecurity Gap, UK Questions 5G, Marsh’s Cyber Catalyst Program
TLP White: In this edition of Hacking Healthcare, we discuss the lack of a federal cybersecurity standard and how states have stepped in to try to fill the gaps. We also break down the United Kingdom’s recent criticism of Huawei devices and hardware. We then dive into a new designation for cybersecurity products and services to help businesses navigate the vast and varied offerings available in the marketplace.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
TLP White: In this edition of Hacking Healthcare, we discuss the lack of a federal cybersecurity standard and how states have stepped in to try to fill the gaps. We also break down the United Kingdom’s recent criticism of Huawei devices and hardware. We then dive into a new designation for cybersecurity products and services to help businesses navigate the vast and varied offerings available in the marketplace.
Welcome back to Hacking Healthcare.
Hot Links –
1. Lack of Federal Cybersecurity Law Leaves States to Craft Their Own Solutions.
Last week the College of Healthcare Information Management Executives (“CHIME”) responded to Senator Mark Warner’s (D-VA) request for input on ways to improve cybersecurity in the healthcare industry.[1] CHIME lamented the lack of a national cybersecurity standard, stating that it unfairly causes healthcare providers to shoulder the lion’s share of responsibility for good cybersecurity practices.[2] The executives cited patch management and data inventory as some of the most pressing challenges and vulnerabilities facing the industry.
Without a federal law to give health providers cybersecurity guidance, states have stepped in to fill the gaps. In December 2018, Ohio passed a cybersecurity statute modeled after the National Association of Insurance Commissioners’ Insurance Data Security Model Law.[3] Ohio is the second state to adopt this model law, as South Carolina passed it earlier in 2018.[4] The law went into effect this month, and it requires health insurers to maintain a written information security program and provide notification to state regulators of breaches within 72 hours of learning of a breach.[5]
2. As 5G Roll Out Approaches, United Kingdom Questions Huawei Devices’ Security.
Here we are with the latest from our “Hua-what?” department: A United Kingdom (“UK”) cybersecurity regulator, the National Cyber Security Centre (“NCSC”), has raised concerns about security vulnerabilities in Huawei devices. The NCSC’s Huawei Cyber Security Evaluation Centre Oversight Board, a group instated eight years ago to evaluate the security risks posed by using Huawei equipment in critical national infrastructure, criticized the company’s engineering competence and cybersecurity hygiene in a report issued last week.[6] In somewhat ominous forecasting for pending 5G technologies, the report notes that “further significant technical issues have been identified in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks.”[7]
Generally speaking, western nations’ criticism and distrust of Huawei is not new. We’ve previously discussed the United States’ (“US”) approach to the company, noting the fact that it has banned the use of Huawei devices within the government. The United States’ position is similar to that of Australia and New Zealand. However, it remains to be seen how a number of other countries will respond to Huawei in the face of impending 5G technologies. As we come closer to a full 5G roll-out, reports like the one issued by the NCSC take on a heightened level of urgency. While it is fairly clear where the US, UK, and some others stand with respect to the company, many other countries have yet to draw a line in the sand.
This issue isn’t going to be going away any time soon so expect to hear a lot more.
3. Marsh Creates “Cyber Catalyst” Program for Evaluating Products and Services.
Marsh has joined up with a group of insurers, including Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America, in an effort to help organizations “make more informed choices about cybersecurity products to manage cyber risk.”[8] To that end, the group has created a “Cyber Catalyst” designation that will be given to products and services group members identified to be effective in reducing cyber risk.[9] Members of the group will assess cybersecurity products and services that work against cyber risks such as data breaches, business interruptions, data theft or corruption, and cyber extortion.
One of the goals of the program is to help organizations better navigate the vast and varied number of available cybersecurity products and services. In this crowded market, a trusted designation such as Marsh’s “Cyber Catalyst” stamp of approval could reassure companies looking to purchase enterprise cyber solutions.
Congress –
Tuesday, April 2nd:
–No relevant hearings.
Wednesday, April 3rd:
–No relevant hearings.
Thursday, April 4th:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19– 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>
–H-ISAC Member Only Webinar – How Policy Architecture Can Improve Cybersecurity (4/11/19)
<https://h-isac.org/hisacevents/policy-architecture/>
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019–4/16/2019)
https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/
–Global Privacy discussion on H-ISAC Radio – Link is in Member Portal (4/15/19 12pm EST)
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>
–Peer Sharing ICS Security Workshop – Singapore (4/24/2019)
<https://event.boozallen.com/ICSWorkshopSingapore>
–H-ISAC Cybersecurity Workshop – Huntsville, AL (4/25/19)
<https://h-isac.org/hisacevents/h-isac-workshop-huntsville/>
–H-ISAC Medical Device Security Workshop – Burlington, VT (5/1/19)
<https://h-isac.org/hisacevents/h-isac-md-workshop-vt/>
–2019 H-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)
<https://endeavor.swoogo.com/2019-Philadelphia-Health-IT-Summit>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019)
<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
<https://h-isac.org/hisacevents/workshop-london/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–CMS competition seeks predictive AI apps for better health outcomes
<https://www.healthcareitnews.com/news/cms-competition-seeks-predictive-ai-apps-better-health-outcomes>
–Cisco Releases Flood of Patches for IOS XE, But Leaves Some Routers Open to Attack
<https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/>
–FDA Warns of Cybersecurity Vulnerabilities in Medtronic ICD, CRT-D Telemetry Systems
<https://www.medscape.com/viewarticle/910830>
–87% of Cloud Pros Say Lack of Visibility Masks Security
<https://www.darkreading.com/analytics/87–of-cloud-pros-say-lack-of-visibility-masks-security/d/d-id/1334236?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple>
–Efforts intensify on broadening FTC authority; industry preps on ‘baseline’ IoT standards
<https://insidecybersecurity.com/daily-news/efforts-intensify-broadening-ftc-authority-industry-preps-baseline-iot-standards>
–Senate Banking panel kicks off talks on data security bill
<https://thehill.com/policy/finance/429853-senate-banking-panel-kicks-off-talks-on-data-security-bill>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.warner.senate.gov/public/index.cfm/pressreleases?ID=A15A1599-1616-4A3C-8E00-A93F0AFF7303
[2] https://healthitsecurity.com/news/chime-health-it-cybersecurity-gaps-lie-in-data-inventory-patching-issues
[3] https://healthitsecurity.com/news/ohio-enacts-law-with-cybersecurity-requirements-for-health-insurers
[4] https://news.bloomberglaw.com/privacy-and-data-security/insurers-face-south-carolina-breach-notice-security-standards
[5] https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-273
[6] https://www.theverge.com/2019/3/28/18285185/huawei-uk-government-cybersecurity-report-5g-rollout-security-concerns
[7] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/
HCSEC_OversightBoardReport-2019.pdf
[8] https://www.marsh.com/us/campaigns/cyber-catalyst-by-marsh.html
[9] https://www.marsh.com/us/campaigns/cyber-catalyst-by-marsh.html