President Joe Biden on Wednesday directed the federal government to improve cybersecurity for critical infrastructure.
While the memo doesn't directly address the healthcare industry, the administration is investigating whether grants, tax credits or other policy changes could help health systems and other organizations invest in needed cybersecurity upgrades, a senior administration official said during a call with reporters on Tuesday. Such measures could be essential to ensuring national security, given that the private sector owns and operates nearly 90% of critical infrastructure in the U.S.
"The federal government can't do this alone, and securing our critical infrastructure requires a whole-of-nation effort," the official said.
The memo formalizes the Industrial Control Systems Cybersecurity Initiative, a voluntary, collaborative endeavor between the federal government and the private sector to steel the nation's cybersecurity infrastructure. The aim is to increase information sharing within and across industries about cybersecurity threats.
Biden's directive also calls for the Departments of Homeland Security and Commerce and other agencies to develop and issue cybersecurity performance goals for critical infrastructure within a year.
"Cybersecurity needs vary among critical infrastructure sectors, as do cybersecurity practices. However, there is a need for baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems," the memo said.
The move could reverberate across the healthcare industry.
"While some may welcome a broad federal standard as opposed to a patchwork of laws and frameworks, this memo is the beginning of what inevitably will lead to greater regulatory scrutiny in what are already the most heavily regulated industries in the U.S.," Hogan Lovells partner Tim Bergreen said in an email.
But many organizations don't have enough money to upgrade their cybersecurity infrastructure. Cybersecurity usually makes up no more than 6% of a healthcare organization's IT budget, per a 2020 survey by the Healthcare Information and Management Systems Society.
"Relatively few healthcare organizations are conducting end-to-end security risk assessments. Many risks are unaddressed due to the lack of comprehensive security risk assessments. Basic security controls such as firewalls and anti-virus software are not universally used by healthcare organizations," according to HIMSS. "This paints a picture of a leaking sieve."
Stronger financial incentives could encourage more healthcare organizations to upgrade their systems voluntarily.
"Cyber insurance is a really interesting mechanism as well," the official said.