Health-ISAC Hacking Healthcare 5-9-2024

This week, Hacking Healthcare™ Focuses on new developments around AI risk, safety, and security. In particular, we breakdown the establishment of the new Department of Homeland Security (DHS) Artificial Intelligence Safety and Security Board and then review new DHS guidance Safety and Security Guidelines for Critical Infrastructure Owners and Operators.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare™.

Health-ISAC Americas Hobby Exercise 2024

The Health-ISAC is once again ramping up preparations for our annual Americas Hobby Exercise! For new Health-ISAC members, the Hobby Exercise is an annual Healthcare and Public Health (HPH) event designed to engage the healthcare sector and strategic partners on significant security and resilience challenges. The overarching objective is to inform and provide opportunities for organizational continuous improvement while increasing healthcare sector resiliency.

The following link to last year’s Hobby Exercise After Action Report provides a good overview of the kinds of interaction and value you can expect from this year’s event:

https://h-isac.org/tmp24/hobby-exercise-2023-after-action-report/

This year’s exercise will be held on June 6 at Venable LLPs office in Washington, D.C. Members are encouraged to register their interest in participation at the following link:

https://portal.h-isac.org/s/community-event?id=a1Y7V00000ZmFVwUAN

National Security Memorandum 22 Revises U.S. Approach to Critical Infrastructure

On April 30, the Biden administration published the National Security Memorandum 22 (NSM-22): on Critical Infrastructure Security and Resilience.^[i] This memorandum serves as the latest revision in a series of executive memoranda that have sought to define what constitutes U.S. critical infrastructure and outline how the government is meant to improve the security and resiliency of that critical infrastructure. As you might expect, NSM-22 will have direct and indirect impacts on the healthcare and public health (HPH) sector.

What is NSM-22 and what is it replacing? 

Since 2013, the United States federal government has looked to Presidential Policy Directive 21 (PPD-21) as the standing guidance for what constituted critical infrastructure in the United States, how the United States government should look to secure that infrastructure, as well as outlining the envisioned role of the private sector. While that executive memorandum does not have the force of law behind it, it was never repealed or replaced until last week.

This update was set in motion with the passing of H.R.6395, the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, which required the secretary of DHS, in consultation with the heads of Sector Risk Management Agencies (SRMAs), to “review the current framework for securing critical infrastructure…” and submit a report related to possible revisions.^[ii] The contents of that report were signed off on by President Biden and work on what would become NSM-22.

NSM-22 Contents

Roughly 35-pages long, NSM-22 provides the following towards “advanc[ing] [the United States’] national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure”:^[iii]

• Eight policy principles;
• Eight objectives;
• Clarification on the roles and responsibilities of federal departments and agencies;
• The promotion of risk management and an all threats/hazards approach to security and resiliency;
• The mandating of minimum security and resilience requirements for critical infrastructure sectors;
• The direction of a national infrastructure risk management plan;
• The reiteration of Systemically Important Entities (SIEs);
• A bolstering of intelligence sharing and information exchange;
• A reiteration of the definition of critical infrastructure, the designated critical infrastructure sectors, and responsible SRMAs; and
• An implementation plan for federal entities to execute on what has been outlined above.

Action & Analysis
**Included with Health-ISAC Membership**

Upcoming International Hearings/Meetings

• EU
  1. No relevant meetings at this time
• US
  1. No relevant meetings at this time
• Rest of World
  1. No relevant meetings at this time

^[i]https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/

^[ii] https://www.congress.gov/bill/116th-congress/house-bill/6395

^[iii]https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/

^[iv] Presidential Decision Directive/NSC-63

^[v] Presidential Policy Directive 21

^[vi] “Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters.”

^[vii]https://www.washingtonpost.com/politics/2023/10/16/biden-administration-goes-back-drawing-board-water-cybersecurity/

^[viii]https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#:~:text=A%20common%20set%20of%20protections,known%20risks%20and%20adversary%20techniques

^[ix] https://hphcyber.hhs.gov/performance-goals.html

^[x]https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/

^[xi]https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/

^[xii] https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/

• Related Resources & News
• Health-ISAC Hacking Healthcare 8-26-2024
• What is Threat Intelligence? A Comprehensive Overview
• Why Cybercriminals Target Healthcare Data and How Organisations Can Protect Themselves
• Federal Authorities Work to Boost Health-Care Cybersecurity
• Health-ISAC Hacking Healthcare 8-9-2024
• Health-ISAC Medical Device Blog – VEX
• Podcast: Health-ISAC Featured in Cyberwire Daily episode 2021
• Health-ISAC Hacking Healthcare 8-2-2024
• Protecting Healthcare Organizations with Human-Centric Email Security
• American Hospital Association and Health-ISAC Joint Threat Bulletin