Dive Brief:
- President Donald Trump has signed an executive order aimed at strengthening cybersecurity across the U.S.
- The 16-page order, issued last Thursday, targets cybersecurity risks within the federal government and those posed to businesses and individual internet users.
- The executive order came one day ahead of a massive malware attack that invaded computer systems in 104 countries around the globe, including those at 40 U.K. hospitals.
Dive Insight:
The executive order requires all government agencies to modernize their IT and implement risk management measures using the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. Within 90 days, agency heads must provide a risk management report to heads of Homeland Security and the Office of Management and Budget.
The order also calls for agency heads to provide the president with regular reports on how they are managing cybersecurity risk to critical infrastructure, and identify authorities and strategies to support cybersecurity of entities deemed critical to public health and national and economic security. This should include strengthening resilience against botnets and other automated, distributed threats.
The importance of such measures was dramatically illustrated Friday and over the weekend with the ransomware attack that forced some hospitals in the United Kingdom to divert patients. The malware got into computer systems through a phishing email and used a Microsoft exploit that was corrected by a patch the company issued in March. This highlights the need for frequent system updates and employee education on cybersecurity.
The order says that to the extent permissible by law, agencies should implement shared IT, including email, cloud and cybersecurity services.
In a recent HIMSS survey, one-third of healthcare leaders said they are “highly concerned” that their organizations will be a victim of a security breach this year. And while 8% reported having employee awareness programs to reduce the risk of an attack, nearly 80% said employee awareness is their greatest security threat concern.
Teaching hospitals are at higher risk for data breaches than non-teaching facilities, according to a letter published online last month in JAMA Internal Medicine. Of 141 acute care hospitals that reported hacks to HHS between 2009 and 2016, 52 were major academic medical centers.
Richard Henderson, global security strategists at Vancouver, BC-based Absolute Software, recently discussed steps organizations can take to protect their IT networks. These include asking IT partners if they have the capacity to patch software and how quickly they can respond to a vulnerability or breach. They also need to ensure all devices have proper authentication so they can be identified and assessed if repairs are needed.