The CyberPHIx Roundup: National Cybersecurity Strategy, 3/22/23

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

Our host Britton Burton spends this entire episode reviewing and analyzing the recently released National Cybersecurity Strategy, including:


  • Summarizing, and in some cases quoting, the key points from the document that are most relevant to healthcare security pros who may have time to listen but not read 
  • Analyzing how those key points will affect the healthcare industry in the coming months and years 
  • Explaining how (and when) the rulemaking process might play out 
  • The impact this could have on cloud and third-party risk 
  • Implications of incident reporting and the positive side of the emphasis on it 
  • An interesting wrinkle in the cyber insurance space 
  • Increased scrutiny on IoT manufacturers 
  • How the technology and software industry is similar to the automotive industry 50 years ago 
  • And much more! 


Britton: [00:00:15] Hello and welcome to The CyberPHIx healthcare Security roundup. Your quick source for keeping up with the latest cyber security news trends and industry-leading practices, specifically for the healthcare industry. I'm your host, Britton Burton. In addition to this roundup. Be sure to check out our resource center on Meditology, which includes our CyberPHIx interviews with leading health care, security, privacy, and compliance leaders, as well as blogs, webinars, articles, and lots of other educational stuff. We have a full agenda to cover today, so let's dive into it. You're probably not surprised to hear that today's episode will be entirely on the National Cybersecurity Strategy released by the Biden administration almost two weeks ago now. I'm sure you've all seen the news of it, if not, read it yourselves. But for those of you who maybe haven't had time to read it yet, I'm going to break down the points that I think matter the most for health care, security, and privacy pros. I definitely encourage you all to read it for yourselves if you can. It's only 39 pages. You know, it's not a difficult read. It's not hundreds of pages long. There is a ton in there that will be relevant for other types of roles law enforcement, government agencies, other critical infrastructure sectors, and educators. Et cetera. But hopefully, I can center you on the most salient points for healthcare security pros. If you can't find the time to read it, as we always try to do on the roundup. 

Britton: [00:01:45] And before we get into the contents of the document, I think it's most important to start out by stating that this is a long-term plan, a framework for the goals of the US government that they want to achieve within the cyber security space. So it is not yet a rule, a law, or even a bill set to be voted into law. Congress will have to pass a law or most likely laws to make most of this come to fruition, which could take time. However, it does leverage a few different executive orders made by Presidents Trump and Biden to build on edicts already issued by the federal government. So things are definitely in motion already. But overall, this is just a strategy, not a new law yet. I'll discuss this much more in detail at the end of the segment, because it doesn't mean we can just ignore this right now, obviously. But it is important to understand this is not yet a law or a bill. Let's go ahead and get into the content. So first, obviously, at the top level, it's divided into five pillars. Those pillars are, number one, to defend critical infrastructure. Number two, disrupt and dismantle threat actors. Number three, shape market forces to drive security and resilience. Number four, invest in a resilient future. And number five, forge international partnerships to pursue shared goals. And within each pillar, there are sub-points where more of the detail is that are labeled as strategic objectives with different goals or requirements laid out. 

Britton: [00:03:09] So my goal here is to walk you through not quite section by section, but pretty close. There are some of those sub-bullets, the strategic objectives that I just mentioned that are not quite as relevant to healthcare security pros as some of the others. So my goal is to walk you through those that are relevant. Explain them a little bit. Again, assuming maybe you've been busy, haven't had time to read this yet. Explain what's in there. A little bit of analysis we've done, and then I'll kind of summarize towards the end some thoughts on the whole thing. But hopefully, this is a great primer if you have not had time to read it and you can just go, okay, I know what the key sections are, at least for me is a healthcare security pro. So starting off, there is an introduction section that sets the stage for why the time was right to produce this strategy. And there are some really interesting nuggets within. First, you can tell from the tone of just the whole intro that the authors are kind of saying Enough is enough. With the state of cybersecurity and the threat landscape, it references, not Petya, SolarWinds, and critical infrastructure incidents throughout as sort of this is why we need to do this now. 

Britton: [00:04:12] There is a pretty bold statement right near the beginning of the introduction that will be echoed and supported throughout the document, and that is, quote, to realize the vision these pillars layout, we will make two fundamental shifts in how the United States allocates roles, responsibilities and resources in cyberspace, end quote. And those two shifts focus on, number one, shifting responsibility for insecure technology from the end users, small businesses, state and local governments, and infrastructure operators who are often victims of cyber attacks to the manufacturers of the technologies. That's a big one. I'm sure you've heard about that. We will talk a lot about that today. It's echoed throughout the document. And then the second shift is compelling more long-term investments in the way such technology is designed, built, and secured. Now, interestingly, in the introduction, it names the People's Republic of China as, quote, the broadest, most active, and most persistent threat to both government and private sector networks, end quote. And says it is the only country with the intent to reshape the international order that has that also has the economic, diplomatic, military, and technological power to do so. So thought it was just very interesting to see that written so plainly in a document that will obviously be consumed very widely and not just domestically. It also specifically does call out Russia, Iran, and the Democratic Republic of Korea as the other main nation-state threats. 

Britton: [00:05:38] I thought, importantly, it mentions organized crime syndicates as just as much of a national security threat as true nation-state actors, mostly due to the disruption and financial cost of ransomware. So it's good to see those organized crime groups get top billing like nation-states. They cause just as much, if not more, damage to businesses, but don't always get grouped in the same way as the government-backed groups. And I think we have to change the language around that. So I was pleased to see that. Now moving on to the five pillars and the important strategic objectives themselves. As I said, not going to cover every single sub-point, but I will hit on the most important ones that you, as a security leader in the healthcare industry, need to be aware of. Pillar one Remember, pillar one is the defense critical infrastructure pillar, and starting with strategic objective 1.1 is called Establishing cybersecurity requirements to support national security and public Safety. So basically, this one directs the federal government to set necessary cybersecurity requirements in critical sectors and think it's really important to know that the second sentence in this section reads, quote, While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes, end quote. So you've heard us discuss a lot on this podcast for a while that several people in important positions in Washington are making comments like this, and the winds really seem to be shifting towards new regulation. 

Britton: [00:07:05] I think this section is the shoe. Maybe we've been waiting on the drop. Obviously, it's still not a law. Right. But, you know, seeing that so plainly written that voluntary approaches have not produced the outcomes that they want, I think certainly supports some of what we've been seeing with the trends in the news we've been following. Yeah. Another thing we've said a lot on this podcast is that we can read some tea leaves and see that the cyber performance goals and the recognized security practices are telling us that there will be an accepted standard of due care in cyber coming from the Federal government at some point. And I think we see that in this section. You know, the document also says, quote, Regulations should be performance-based leverage, existing cybersecurity frameworks, voluntary consensus standards, and guidance, including the cyber performance goals and the NIST framework for improving critical infrastructure cybersecurity, end quote. So obviously, that supports, you know, that the tea leaves would have been reading there. The section is also the first time we see an emphasis on third-party risk. It identifies third-party service providers and cloud as critical pieces of today's business and says the administration will work to identify and close gaps in cybersecurity practices for the cloud computing industry and other essential third-party services. There will be a lot more of this to come as we go through this. 

Britton: [00:08:25] As we talked about the fundamental shift, number one, kind of shifting obligation to the manufacturers, again, the huge theme throughout. We'll hear a lot more about that strategic objective. 1.1 discusses the need to harmonize and streamline new and existing regulations, which I think is something everyone in the industry can get behind. You know, we all feel overwhelmed with the number of fractured requirements and regulations we have to comply with, and that complexity makes the job so much harder when sometimes if we just said, Defend your organization, we might be in a better, better state. So really happy to see that. There's also a section in here titled Enabling Regulated Entities to Afford Security. That I think is really important. And this is another thing we've mentioned recently where we're seeing commentary about incentivizing cybersecurity practices through stronger reimbursement rates in health care and other means. I liken it to the way meaningful use was rolled out several years ago as a carrot when health systems were first switching from paper records to EHRs. I was hopeful to see more of that from the legislation that Senator Warner is pushing in health care. But it's very interesting to see similar comments and concepts covered in this document that would likely extend such ideas to all critical infrastructure areas, strategic objectives, and pillar one that I think you'll want to know about is Section 1.4. 

Britton: [00:09:43] It's about updating federal incident response plans and processes. And one major point stuck out to me in this one, if you follow along, if you follow CISA, if you follow our podcast, we already know that CSA is working on incident reporting obligations under the Circa SIA Act or the Cyber Incident Reporting for Critical Infrastructure Infrastructure Act of 2022. But notably, this part says that Serco will require covered entities in critical infrastructure to report covered cyber incidents to CISA within hours. I had not seen that kind of timeline yet. Maybe I just missed it. It's possible that it was out there, but it stuck out to me just since I hadn't actually seen that quick turnaround yet. And that's obviously significant. You know, there will have to be a clear definition on what kind of incidents are covered and an efficient way to share information with CSA for this to ever work. But you have heard Jen Easterly on Podcasts recently talking about this and truly do believe in her vision and her time served in the private sector and not wanting to overburden the private sector and any operators, any security operators with how this is going to work. So, you know, putting our faith in her and the teams that are working with her to do this, but obviously need to keep an eye on this for what it means to notify within hours. The skipping to pillar two. 

Britton: [00:11:04] It's going to be obvious. Think as we go through this why that requirement on reporting within hours that we just spoke about why that's in there. So if you recall, pillar two is titled Disrupt and Dismantle Threat Actors. The strategic objectives within it are as follows. I'm just going to read through the titles real quick to kind of get you oriented. 2.1, Integrate Federal Disruption activities, 2.2 Enhance public-private operational collaboration to disrupt adversaries, 2.3. Increase the speed and scale of intelligence sharing and victim notification. 2.4 Prevent abuse of US-based infrastructure and then 2.5 counter cybercrime defeat ransomware. So this whole pillar is about quickly sharing information to the entities who can actually perform takedown operations of attacks as they're occurring. The idea is to do more of what the FBI did recently in disrupting the Hive ransomware operation and distributing decryption keys to victim organizations, which they claim saved over $130 million in ransom payments. So when you see how this section comes together, it makes Section 1.4 make a lot more sense. Again, Section 1.4 about quickly reporting within hours incidents to the federal government is it looks like, going to force the issue on reporting these incidents because the whole industry knows I mean, we all know that incidents are vastly underreported, law enforcement agencies who can actually make some headway, like in the Hive ransomware takedown, want more information to be able to do their thing. 

Britton: [00:12:37] But there's this lack of trust. There's this, you know, are we going to find ourselves in a legal situation because we reported an incident. There's just that fundamental lack of trust. And again, I've heard Jen Easterly and others who are shaping this talk about this and they're really trying to change that narrative. It's going to be really, really important that CISA does a good job defining what meets the criteria for reportable incident based on Daisy chaining these two sections together. You know, my humble opinion guess not knowing insiders or anything is that it will be you know, the highly damaging events like confirmed ransomware attacks and not just the daily churn of security events and minor incidents that covered entities face every day. For one, you know, if it was everything that would create so much noise, probably too much for CISA to do anything with, plus this undue burden on, you know, us as security practitioners. But if it's just the major incidents that include things like operational disruptions of critical infrastructure and law enforcement can focus on the biggest problems and hopefully do more to attack back basically against the attackers. And also, the more that those things are reported, the more data there is to actually state the problem to people outside of our world who may not understand how frequently this stuff is happening. Pillar three is titled Shape Market Forces to Drive Security and Resilience and is easily the most impactful in our world. 

Britton: [00:14:06] Probably going to spend the most time here. Healthcare has been wrestling with the problem for years, and this section paves the way for what would be a sea change in the industry. Without a doubt, strategic objective 3.1 is titled Hold the stewards of our data Accountable. And basically, this one sets a vision for setting clear limits across industries on the ability of organizations to collect, use, transfer, and maintain personal data, and also to provide strong protections for sensitive data such as geolocation and health information. The document itself calls those two terms out specifically, that's not me, just sort of adding my own commentary in there. So obviously that's interesting to us as health security people. And also we're already seeing movement along those lines. Again, things we've covered in the podcast with the groundbreaking FTC settlements on non-HIPAA-covered health apps, GoodRx being the first one and the biggest one. But there's been another one since. This sets the stage for harmonizing that requirement. I think across all industries for these non-HIPAA regulated health apps. Strategic objective 3.2 is called drive the development of secure IoT devices. And this is a big one. IoT devices are everywhere in the modern healthcare setting. And we all know how much of a problem they create for security programs. We also know how much benefit they create for actual patient care and hospital operations and so on. 

Britton: [00:15:28] But they're a thorn in the side of security folks. And it the document says, quote, Too often these devices have been deployed with inadequate default settings can be difficult or impossible to patch or upgrade or come equipped with advanced and sometimes unnecessary capabilities that enable malicious cyber activities on critical physical and digital systems, end quote. So it calls out that the federal government would put stronger requirements in place for IoT cyber and also mentions that it will continue to advance the development of IoT security labeling as directed under. Order. 14 zero 28. The document also mentions that China is the largest producer of cheap IoT devices that are so often insecure and cites that as one of the many reasons that they are threat actor number one. So an interesting one there. And now for strategic objective 3.3. And this is the most important one in my judgment. It's titled Shift Liability for Insecure Software Products and Services. I mentioned that we'd spend more time here when I covered the two fundamental shifts the strategy aims to make, and this one is huge. As a reminder, that first fundamental shift was about shifting responsibility for insecure technology from the end users, small businesses, state and local governments, and infrastructure operators who are often victims of cyber attacks. Shifting that responsibility to the manufacturers of the technologies. So I'm going to quote several lines directly from the document here because they're so well stated and really paint the picture well and want you to hear it directly from what the document says. 

Britton: [00:17:03] So listen closely and see if any of this resonates with you. Quote, Too many vendors ignore best practices for secure development, shipped products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance. Software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform prerelease testing, end quote. Another one quote We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities, end quote. A little further down, still in the same section, quotes, The administration will work with Congress and the private sector to develop legislation establishing liability for software products and services. Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract and establish higher standards of care for software and specific high-risk scenarios. Continuing, the administration will drive the development of an adaptable Safe Harbor framework to shield from liability companies that securely develop and maintain their software products and services. This safe harbor will draw from current best practices for secure software development, such as the NIST Secure Software Development Framework. 

Britton: [00:18:27] And finally, the last quote from the section quote The administration will encourage coordinated vulnerability disclosure, promote the further development of bombs, and develop a process for identifying and mitigating the risk presented by unsupported software that is widely used or that supports critical infrastructure, end quote. I don't know about you, but reading through all that was like reliving every day of my role as a head of cyber for a hospital system. The parts about vendors shipping and securing products and then disclaiming liability by contract is spot on and gives me flashbacks to the daily grind of assessing vendors and negotiating information security agreements with them. The shift in liability, if truly mandated by the federal government, would completely change the game for covered entities. There are plenty of vendors who are doing the right things and running strong security programs and always want to make sure I say that because I can sometimes feel like I'm throwing stones at them. But we also know that there are a whole lot more that aren't, and smaller vendors and start-ups tend to be the ones who are more behind. Again, not saying blanket statements here, but generally speaking, that tends to be true. And it's been too easy for them to pass the buck on security liability to the health care orgs buying the product. So if this is codified into law in some way, I believe it will fundamentally change how we approach TPRM. 

Britton: [00:19:49] Right now, HIPAA pretty much places all the burden on the covered entity to do business with quote-unquote secure business associates. As a result, we spent years in health care, and cybersecurity, developing more and more in-depth security control questionnaires so we can cover every single control and every single edge case for scope. And we're telling ourselves that we're doing it to make sure our vendors are secure. But if we're being honest with ourselves, we're doing it just as much so that we can prove we assessed the vendor when the inevitable breach happens because we know there's not much we can do to actually prevent it. So if all of a sudden business associates and vendors themselves are directly in scope for a law about cybersecurity, maybe that's bigger than health care. Maybe that's all critical infrastructure. I believe it will shift the burden to vendors to prove their security posture more proactively and more robustly. So rather than client security teams taking on the burden of proving a vendor's security posture through these exhaustive proprietary questionnaires, vendors will need to demonstrate security through independent assurances and key evidence of baseline security expectations. And the entire health care industry may be able to align more closely to a standardized set of requirements so that we can all go. Look, if you're doing things like security certifications, if you're doing regular pen testing and remediation, if you have a secure SDLC and you have incident response plans that you consistently update and test, if you're doing those kinds of big things, we can trust you as a company that takes security seriously and is worth doing business with. 

Britton: [00:21:24] We understand that not every single control may be implemented to our exact specifications in our questionnaire, but we can stop haggling over that level of detail and let you, as the vendor, continuously improve your security program to meet these bigger expectations. And that will drastically change the way that the industry currently functions. It would become more about moving all the vendors that can meet those markers for security into fast-track lanes. Does Vendor A have all the requirements? Yep, they sure do. So let's do business with them. And now we can move on to more heavily scrutinized vendor B who maybe doesn't appear to have any of those standard requirements. So if the federal government does this the right way, a little bit of a scary thing to say, I'll admit. But if they do it the right way, we could finally begin to solve the scale problem that is at the root of every single issue in Ptprm. And that's really exciting. And let me tell you if this sounds like a pipe dream or maybe it just sounds like, hey, what an intriguing model. Reach out to me on LinkedIn. I would love to talk to you about a new approach to TPRM that we are releasing right now. 

Britton: [00:22:27] That's called Corl cleared that I think can revolutionize the industry. The final strategic objective in Pillar three is also a really interesting thing to keep an eye on. It's 3.6 titled Explore a Federal Cyber insurance backstop. And it says, quote, The administration will assess the need for possible structures of a federal insurance response to catastrophic cyber events that would support the existing cyber insurance market. End quote. I mentioned this one because just a few weeks ago in The CyberPHIx March 1st podcast, we talked about the issues in the cyber insurance industry and how the pendulum is maybe swinging too far away from the policy purchasers. There have been calls for treating cyber incidents similar to the way we do large national natural disasters so that government could aid and be involved. I'm not sure if that's what this means. This is one of the shortest sections of the document. Actually, it's only one paragraph, so there's not a whole lot there. And there would be some major pros and cons to an approach that equates a ransomware event to a natural disaster and some form of, like FEMA, for example, intervention. So we'll save the analysis for that for another time when more is known about what this means. But as a cyber leader, you definitely have to have your eyes on this because it's the cyber insurance topic. And that's just a really critical topic for all of us right now. 

Britton: [00:23:48] I'm going to move a little more quickly through the rest of the strategy. Most of the pillars four and five are, in my opinion, of more interest. If you work in standards organizations, if you work in R&D for security technology, if you're in a government agency, and so on. But there are a few tidbits here that I'll hit on that I think are relevant for us in the healthcare industry. Pillar four again is titled Invest in a Resilient Future and Strategic Objective 4.3 is Prepare our post-quantum future, Prepare for our post-quantum future. So two sentences stood out to me in this one quote Quantum computing has the potential to break some of the most ubiquitous encryption standards deployed today. We must prioritize and accelerate investments in the widespread replacement of hardware, software, and services that can be easily compromised by quantum computers so that information is protected against future attacks, end quote. I bring this one up because we've covered the quantum computing topic on the podcast a bit from this naming a few of the potential new encryption standards to the national security memo on US leadership in quantum computing. So a couple of times we've touched on it. The buzzword that we're seeing a lot is to provide cryptographic agility and think it's just another topic that we have to be aware of as security leaders. The concern about this is sort of the hack now breach later approach where a stolen database that's encrypted by currently accepted algorithms may be decrypted in a couple of years once quantum computing power is realized. 

Britton: [00:25:16] I'm not sure any security leader needs to be deploying a decryption overhaul project right this moment, but it certainly a topic we all need to be read well, read about so that we're not caught unawares when standards change in the coming years. And it does appear that that's happening. Obviously, it warranted a mention in this document, so need to have your eye on it. Strategic Objective 4.6 is called Develop a National Strategy to Strengthen Our Cyber Workforce. Everyone in the business is aware of the talent shortages we face, and this section says that the Office of the National Cyber Director will develop and oversee the implementation of a national cyber workforce, education, and strategy. We've seen promises of this in the past, but to my knowledge, it's the first time that a specific federal organization is named as being responsible for development and implementation. Again, I could have missed that previously, but that is at least the first time I've seen it. So that makes it somewhat notable. And finally, pillar five, it's called Forge International Partnerships to pursue shared Goals. Going to skip most of this because it's not as relevant to us in the healthcare sector in our day-to-day jobs. But the one part I will mention is something to keep on your radar from strategic objective 5.5, which is called secure Global Supply chains for information, communications, and operational technology products and services. 

Britton: [00:26:33] There is a really bold goal in here that's stated as, quote, The United States will work with our allies and partners, including through regional partnerships. Skip ahead a little bit to identify and implement best practices in cross-border supply chain risk management and work to shift supply chains to flow through partner countries and trusted vendors, end quote. It goes on to mention topics like funding the creation of secure and diverse supply chains for semiconductors and telecommunications. And then later on also says, quote, We will work to prevent unacceptable and undue risks to our national security from information and communications, technology and services subject to control or influence from adversarial governments, end quote. So I think this is a shout-out to a few things. Some of the existing federal bans on companies like Huawei and ZTE, where we believe China is directly targeting US citizens with nefarious products, and the whole semiconductor shortage that caused so many problems during Covid, To say the least, though, this is an extremely bold statement to say, well, we'll shift supply chains to partnering countries. That is, I have to imagine, extremely complex. I think we've seen how fragile the supply chain is, obviously through COVID. But part of the reason it's fragile is because it's not super easy to have this completely resilient, robust, can't withstand all things supply chain. 

Britton: [00:27:55] So very bold statement. But boldness is the only way to make some headway here. So we'll definitely be a fascinating topic to monitor and just one that thought worth mentioning to you. All right. And the final section of the document is the implementation section. It's about obviously, implementation. It places the new office of the National Cyber director or on it places them front and center. They are actually the ones that wrote this document, and they are also the ones expected to publish an implementation plan for this national cyber security strategy with the finer details. So far, all we know is later in 2023, I at least have not seen any more concrete dates than that. Please email us or reach out to me on LinkedIn. If you have seen a more concrete date. We'll obviously have to be aware of that and will also lead the way in terms of things like budget allocation and other things associated with bringing the plan to bear. So there wasn't a ton of implementation details. But I think the point was to have a section there at the end that at least says, hey, we know this is a lot and we do plan to implement it, but a whole lot more to come there. Good job, everyone. We made it to the end. Thanks for sticking with me through that. 

Britton: [00:29:05] If you'll. If you'll bear with me a few more minutes, I want to do some analysis on top of what I've already done to try to tie this all together again. There are several sections of the strategy that I did not cover. Those sections are relevant to us as cyber professionals, but for the 15th time, a little less relevant within the context of health security leaders who need to understand how market dynamics and pending regulation will change how you actually run your security program. So really tried to focus it to that. And this would have been a four-hour podcast if I covered it all. But just want to reiterate, it's definitely worth reading this so that you're aware of those other sections and you kind of see the larger picture of where cybersecurity as an industry as a whole could be going in the coming years. So the way I'd like to tie all this together is the analogy that I'm sure a lot of you have seen, and I'm going to repeat it because I think it's just so perfect. It's spot on. In fact, Jen Easterly again, Drink brought it to light in her article Stop Passing the Buck in cyber security in Foreign affairs probably two months ago. I think it's the first time I'd seen the analogy. It's the perfect comparison. There are so many examples of industries that we're providing products to American consumers that started out very unregulated and resulted in some very poor outcomes for human life. 

Britton: [00:30:26] The automotive industry is one of the best examples of that, and that's in fact the one that Jen Easterly and that Foreign Affairs article really locked into. So the manufacturers did not have really any liability concerns. Car manufacturers are when people were getting killed or severely injured in car accidents until the amount of negative outcomes in aggregate reached a tipping point. And eventually, the federal government stepped in and said, you know, these manufacturers have an obligation to produce a product that is reasonably safe for consumers. So that's when things like seatbelts and airbags and car seats for children and all the myriad safety features that you now see on a modern vehicle came into be the expected norm. There are examples of this in the food industry and the aviation industries and many, many more. And this finally appears to be that turning point for the software and connected technology industry. So Section 3.3, the one we spent the most time on, is less a cybersecurity announcement than it is a notice to technology firms that we're about to go down the same path that nearly every other industry has when it comes to reasonable consumer protections. Obviously, as we said earlier, all of these objectives won't become law tomorrow. Everything I've read on it predicts five years or potentially even more of lawmaking around this. It's also unclear if there will truly be one law to rule them all the way that they talk about harmonized rulemaking, or if there will be piecemeal rules that come out over the next 5 to 10 years. 

Britton: [00:31:57] I don't think anyone can truly predict that. But it's clear that now if there is still anyone out there in technology sticking your head in the sand and trying to skirt, having to implement strong cybersecurity practices, those days have to be over like right now. You do not want to wait until the government announces a new law a few years from now to start your cybersecurity program planning, As any of us in the industry can tell you are trying to run programs. These are very, very complex problems to solve and complex programs to build. The time is now to build them right to prove to customers that you are doing the right things, to meet minimum standards like the CPGs and Hitpie, because you're probably going to have to prove it sooner than later. It just feels kind of inevitable, inevitable that one of those will be a part of the law-making at some point. And if enforcement by the FTC is any precedent, it doesn't matter if a law doesn't go into effect until 2028, because they might retroactively apply these requirements to your data and security practices from several years ago in any investigation. That's what we've seen with two FTC cases already retroactive. 

Britton: [00:33:04] That rule didn't exist the way it currently does from three years ago or whatever. But you're seeing companies still get hammered for it. Additionally, there is already some momentum and some requirements in place to support a lot of this. I believe I counted at least five executive orders. I went back through the whole 39-page document. I believe I counted at least five executive orders and a couple of national security memos referenced. So there are segments of the business world that are already being pushed to comply with portions of this. A lot of it is businesses selling to federal entities. But again, it's not like this is all completely pipe dream stuff. Another observation, you know, after reading through this is I truly, truly hope that means what they say about harmonizing and unifying the regulation. There is so, so, so much in this document. And one of the complexities in the cyber and privacy realm is the number of different rules and governing agencies that we have to deal with. Answer to even what I just said about the number of executive orders and national security memos, five and two, I think is what I said. I can't even keep up with all those. Right. I see one reference in an article every week that I go, Oh yeah, what number is that one? Which one was that? You know, it just gets really burdensome really quickly to keep up with this stuff. 

Britton: [00:34:20] Every month on the podcast I'm talking about OCR and FTC and FCC and so on. New rules, new requirements, new punishments, new penalties. It's more than a full-time job to keep up with what we must comply with and proving that compliance is often harder than just deploying a well-run security program that is agile and defends against relevant threats. It really, really will be imperative to pull all of this together in a more seamless way so that security leaders can have less of a scatterbrained approach. And then finally, I want to say that this is a really well-written document. It states the problems accurately. It provides solutions that actually get to the heart of those problems. They clearly got good industry feedback while developing this. It doesn't feel like a, you know, a government person in a suit and tie, close their door and just wrote this and I want to applaud them for that. I also want to give the compliment. You can actually see a strategy unfolding here. There were so many things that we've talked about on the podcast in the last six-plus months. You know, reading tea leaves from things you could see in motion, like the CPGs, the references to car safety from Jen Easterly a couple of months ago, cyber insurance and quantum computing, and emphasis on third-party and so on. You can tell that these executive orders and other things that have come out in the last 2 to 3 years, while they seemed piecemeal at the time, certainly to me it appears they were driving to a bigger picture because they're all accounted for in this strategy. 

Britton: [00:35:48] And you see kind of the threads pulling together into a single garment, if you will, with this strategy. So I think that's really important. It's nice to see that organization and that structure behind where we need to go with cybersecurity from a national security standpoint. So there's obviously a long road ahead on this. I'm very excited to see the emphasis placed here and the clarity of thought that I think really aligns well to the problems we're facing. I'm hopeful this is kind of the dawn of a new day in cyber. It may seem overly optimistic to say that, but it feels like we may be reaching a tipping point that could really change some things. And I'm excited. Please reach out to me if you have thoughts on this as you want to talk about this. I would love to get more information from the public who's consumed this and who really thinks about how this is going to impact us as things shift into law-making. That's all for this session of The CyberPHIx Healthcare Security roundup. We hope this was informative for you and we'd love to hear from you. If you want to talk about any of this, please just reach out to us at [email protected]. That's all for this week. So long and thanks for everything you do to keep our healthcare organization safe.