The impact of Trump’s cybersecurity order on healthcare
Last month, President Trump signed his long-awaited cybersecurity executive order, titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The aim of the executive order is to modernize the federal IT network and national cybersecurity risk management.
While much of the executive order specifically addresses defense law enforcement agencies, a section addresses critical infrastructure agencies to identify vulnerabilities that could affect healthcare and public health.
Under a previous executive order signed by President Barack Obama in 2013, the Department of Health and Human Services (HSS) was identified as one of 16 critical infrastructure sectors, specifically relating to the sector of healthcare and public health.
Trump’s latest executive order requires a thorough review of all sector-specific agencies within 180 days, and requires each agency head to provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget within 90 days.
The top three cybersecurity priorities outlined in President Trump’s Executive Order include:
- Cybersecurity of federal networks – Heads of executive departments are to modernize their IT and implement risk management measures using the National Institute of Standards and Technology’s (NIST) Framework – something certain departments in the HSS struggle to manage. President Trump also pledges to hold the heads of executive departments as accountable for cybersecurity risks within their enterprises.
- Cybersecurity of critical infrastructure – Agency heads including the secretary of Homeland Security, the Attorney General and the director of the FBI are to provide President Trump with regular reports on better supporting the cybersecurity risk management efforts of critical infrastructure.
- Cybersecurity for the nation – the Secretary of State, secretary of the Department of Defense and other relevant agency heads will be required to submit a report on strategic options to better protect the nation from cyber threats. President Trump also highlighted how an engaged workforce will ensure the U.S. maintains a cybersecurity advantage, emphasizing the importance of federal stakeholders to consider how to educate and train the American cybersecurity workforce through higher education and apprenticeship programs.
Trump’s executive order also places emphasis on addressing gaps in the nation’s cybersecurity workforce and seeks to shift government systems to the cloud, rather than spending time protecting outdated IT systems.
For individual practices and physicians, Trump’s executive order should not create much cause for concern in the administration of their daily workload, due to the existing requirements of the HIPAA Security Rule and the HITECH Act.
However, the requirements outlined in the executive order may prove to be a mammoth task for the HHS, which has already come under a lot of fire for its cybersecurity vulnerabilities from watchdog agencies. Past reports have criticized HHS for not prioritizing cybersecurity and allowing vulnerabilities to continue developing.
For example, the Office of the Inspector General (OIG) recently reported ten cybersecurity weaknesses within the department, most of which had already been highlighted in an audit from the previous year. One of those vulnerabilities identified is that operating divisions within HHS do not consistently implement the NIST framework.
HHS Chief Information Officer, Beth Killoran, has defended the agency, and is taking action to make cybersecurity a key part of the department’s strategic plan, adding that cybersecurity is the number one issue keeping her up at night.
While the executive order does not fundamentally change U.S cybersecurity policy, it does lay a foundation for for changes to future policy. Given the increasing threat from cybercrime, the administration is likely to keep its focus on this issue for the remainder of the year.