Last week Rep Wasserman-Schultz introduced HR 7609,
the Military Construction, Veterans Affairs, and Related Agencies
Appropriations Act, 2021. There is nothing in this bill that addresses control
system, or even medical device security. There were, however, two comments in
the House Appropriations Committee
Report on this bill that provide some interesting insight into how Congress
still misperceives cybersecurity.
On their discussion about the VA’s implementation of
electronic health records, the Committee expresses concern about the VA’s
implementation of cybersecurity best practices. They then state (pg 95):
“The Committee directs the
Department to identify for the Committee steps it has taken to protect data and
patient records across physical, virtual, and mobile networks and the devices
and systems attached to these networks. If such review warrants
[emphasis added], the Department should consider a layered defensive strategy
that includes perimeter security, segmentation within the data center to
increase lateral security, and data and application protections.”
It seems to me that these recommended ‘layered defensive
strategy’ measures are the minimum-security requirements for any information
system and should not depend on whether or not a security review warrants their
implementation.
On the next page, the discussion continues, and the
Committee recommends that “the Department consider emerging technologies, such as
blockchain technology [emphasis added], if future requirements drive a
need to modify VA’s security architecture and technical solutions”.
I am surprised that there was not also a reference to the
other solve-all-problems cyber-solution, artificial intelligence.
Moving Forward
This bill will be lumped into the first FY 2021 minibus that
the House will take up later this week.
Posts
No comments:
Post a Comment