Earlier this month, Rep Crow (D,CO) introduced HR 8806, the Healthcare Cybersecurity Act of 2022. The bill would require CISA to work with the Department of Health and Human Services (HHS) to improve cybersecurity in the Healthcare and Public Health Sector. No additional spending is authorized in this bill.
Moving Forward
Neither Crow nor his single cosponsor {Rep Fitzpatrick (R,PA)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that it is unlikely that the bill will be considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that the bill would receive broad bipartisan support if it were considered in either Committee or on the floor of the House.
Commentary
The requirement in §6(a)(3) to evaluate the “best practices for the deployment of trained Cyber Security Advisors and Cybersecurity State Coordinators of the Agency into Healthcare and Public Health Sector assets before, during, and after data breaches or cybersecurity attacks” is going to have to include a detailed look at the number of Cybersecurity Advisors available in each region versus the history of the number of healthcare sector cyber attacks. CISA has only limited information available on the number of Cyber Security Advisors that it has on staff, but it is no more than 2 or 3 for each of their ten regional offices. This certainly will not be enough to handle every healthcare cyberattack in the healthcare sector, much less the 15 critical infrastructure sectors.
If CISA is going to be an incident response agency for private
sector organizations, they are going to have to dramatically increase the
number of IR personnel they have in their regional offices, and I do not think
that that is doable.
For more details about the bill’s requirements, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8806-introduced
- subscription required.
Posts
No comments:
Post a Comment