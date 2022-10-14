Comment on this story Comment Gift Article Share

Cybersecurity rules are coming to health care, water and emergency communications

Cybersecurity rules like the ones the Biden administration has written for critical pipeline operators and air carriers will expand to hospitals, medical devices, the water sector and public warning systems, a top White House official said Thursday.

And the administration is looking at other sectors – like manufacturing or information technology – where it needs congressional help to write mandatory minimum cybersecurity standards, said Anne Neuberger, the president’s deputy national security adviser for cyber and emerging technology.

Those are the latest planned steps in a paradigm shift toward imposing more rules on industry following last year’s ransomware attack on Colonial Pipeline, one of the nation’s largest fuel delivery arteries. When Colonial shut down its systems in response to the hack, it sparked a gas panic on the East Coast.

The Colonial attack forced the administration to take a look at the status quo, Neuberger told my colleague Ellen Nakashima at a Washington Post Live event. She said the administration didn’t like the idea that “you could have a major gas provider serving the entire East Coast, and the Transportation Security Administration does not have in place a standard for what our expectations are.”

Rules the Biden administration has imposed since — some of which are not yet in their final form — include requirements for major industry players to notify the federal government within a set number of hours when they suffer a cybersecurity incident, and develop detailed plans for responding to a disruptive hack.

To date, those rules have primarily applied to a set number of organizations. For instance, TSA identified 57 rail entities. And many of those rules have unsurprisingly met industry resistance.

On deck

Neuberger outlined the industries the Biden administration wanted to take up next in more detail:

The Department of Health and Human Services (HHS) is “beginning to work with partners at hospitals to put in place minimum cybersecurity guidelines, and then further work upcoming thereafter on devices and broader health care as well.” That would happen in winter or spring, a U.S. official said.

The Federal Communications Commission (FCC) will take up a proposed rule at its Oct. 27 meeting for emergency and public alert systems. The proposal includes a requirement for alert system participants, like radio and television broadcasters, to notify the FCC within 72 hours when they “knew or should have known that the incident occurred” and write cybersecurity risk management plans.

The Environmental Protection Agency (EPA) plans to incorporate cybersecurity in sanitation reviews of water utilities under a “creative” interpretation of existing law where EPA interprets mandates on security and safety requirements to include cyber, Neuberger said. In late July, Neuberger said the EPA would take that action “shortly.” Officials are aiming for the end of the year.

AdvaMed — a trade group which represents makers of medical devices, from hospital beds to pacemakers — is curious about what the administration has in mind, its senior vice president of technology and regulatory affairs Zach Goldstein told me.

The Food and Drug Administration (FDA) already produces cybersecurity guidance for medical device makers on what to do before they deliver products to the marketplace, then afterward. While it’s technically voluntary, FDA reviewers treat it in practice as mandatory, Goldstein said.

“The FDA has already been regulating this area, so for me it would be interesting to see HHS come out with a directive that would either revise or otherwise change what FDA has already done because they’ve been so involved,” he said.

Of particular interest is the possibility of enhanced cyber information-sharing with hospitals, Goldstein said. While he said medical device manufacturers have to share lists of software ingredients known as a “software bill of materials” that could help head off cyberattacks, hospitals have no similar obligation to share back, say, when they’re under attack.

The American Hospital Association declined to comment on Neuberger’s remarks.

Attacks on the health-care sector are particularly worrisome for their potential to harm patient safety. Likewise, water-sector attacks can also pose risks to human life, such as when a hacker almost succeeded in increasing the flow of a chemical at a Florida wastewater plant to a degree that could’ve poisoned residents.

The Biden administration’s plans for the water sector, however, have drawn fire from both within the sector and outside of it. Critics say sanitation reviewers aren’t best-equipped to evaluate cyber protections at the thousands of water facilities around the country.

In the hole

In other areas where the Biden administration could look to implement minimum security standards, it might need Congress to grant it that power, Neuberger said.

“For some, like critical manufacturing or DHS's emergency services or information technology, there are not authorities, and we're looking carefully at those to say what is needed in this space and how do we approach this,” she said.

The question of when and how to regulate cyber mandates amounts to one of the rare partisan divides in Congress over cybersecurity.

It’s one Congress is wrestling with now in debating whether to identify and designate some U.S. critical infrastructure as “systemically important.” Those are systems for which an attack could have dire consequences for national security, the economy or public safety and health. As originally conceived by the Cyberspace Solarium Commission, feds could impose further requirements on, and grant additional benefits to, those designated owners and operators.

The top Republican on the House Homeland Security Committee, Rep. John Katko (N.Y.), introduced legislation last year on the topic that doesn’t impose further requirements on such owners and operators but instead grants them only additional boons, such as enhanced access to threat information. A version in the House defense policy bill would do the same but raises the prospect of giving owners and operators security goals to meet, based on a study that the legislation orders.

But Katko said at Thursday’s Washington Post Live event that he’s not sure the legislation is even needed anymore. The Cybersecurity and Infrastructure Agency is already separately beginning to identify and make those designations. And anything Congress does that grants more regulatory authority to CISA is a risk to the agency’s role as liaison to industry, he told my colleague Cat Zakrzewski.

“We can't lose sight of the fact that the private sector has to have the comfort to work and trust with a teammate, that being CISA, as opposed to more of a dictatorial or rulemaking agency that's overseeing and causing all kinds of problems with them,” Katko said. “Because I think CISA is a unique agency in that the synergy between the private sector and CISA is the only way that CISA could be successful.”

The keys

Hospital system confirms that it was hit with ransomware

It’s not clear if the ransomware affected all of CommonSpirit Health’s facilities, which amount to more than 1,000 care sites and 140 hospitals, the Lincoln Journal Star’s Matt Olberding reports. The hospital system has followed protocols like taking its electronic health records and other systems offline, it said.

The cyberattack has had real-world impacts, the Des Moines Register's Michaela Ramm reports. A resident doctor told a 3-year-old patient’s parents that he was given too much pain medication amid the outage, Ramm reports.

“They never did explain how a downed computer system led to this,” said his mother, Kelley Parsi. “I think they were trying to say it was written down wrong or the pharmacy read it wrong, but then, why wouldn't anyone check?”

It’s not the only impact from the disruption. Other local news outlets have reported that patients have had to reschedule important procedures and tests at affected health-care locations.

Hackers hit Church of Jesus Christ of Latter-day Saints, church says

The Mormon Church said the hack may have been conducted by hackers affiliated with a foreign government, who were able to get personal data about some members of the church, employees and contractors but didn’t access donation information, the Deseret News’s Tad Walch reports. The breach happened March 23, but the church waited to disclose it after receiving a request from federal law enforcement officials, the church said. The request was lifted Wednesday.

“U.S. federal law enforcement authorities suspect that this intrusion was part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals,” the church said. The church’s notice didn’t name the country that officials suspect of carrying out the attack.

Colo. election official warns judges about ‘disinformation’ with spoofed calls

A person posing as a Larimer County, Colo., employee used a number that appeared to be the county clerk’s office and told a potential election judge that all election judges have to be vaccinated, Colorado Newsline’s Quentin Young reports. Election judges in Larimer County don’t have to have received coronavirus vaccinations.

“The information provided on the call is disinformation,” Larimer County’s election operations manager said in an alert to election judges. “The information is not accurate, and the call was not made by our office.”

Larimer County Clerk Angela Myers, a Republican, “wasn’t sure how many election judges received the alert, but it could be as many as 630, the number of judges the county expects to hire for the November election,” Young writes. “She also informed the Larimer County Sheriff and state authorities about the incident.”

Colorado County Clerks Association Executive Director Matt Crane told Colorado Newsline that the incident appeared to be isolated. But it comes in the run-up to contentious midterm elections that could see countries like China, Iran and Russia try to conduct influence operations.

Global cyberspace

Cyber insecurity

