In March 2022, the U.S. Senate passed the Strengthening American Cybersecurity Act. Authored by U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), the act joins several other bills that combat cyberattacks in bi-partisan teamwork to help protect the U.S.
Data breaches, especially against critical infrastructure like healthcare are on the rise, which is why regulations are as well. Before, healthcare organizations only had to demonstrate compliance under HIPAA, the Health Insurance Portability and Accountability Act of 1996. New legislation like the Strengthening American Cybersecurity Act adds further protocols to help covered entities and patients stay safe. Something useful to healthcare organizations tasked with patient care and safeguarding patients’ protected health information (PHI).
RELATED: HIPAA compliant email
What is the Strengthening American Cybersecurity Act?
The Strengthening American Cybersecurity Act consists of three separate cyber defense bills:
- The Cyber Incident Reporting Act
- The Federal Information Modernization Act
- The Federal Secure Cloud Improvement and Jobs Act
It was created by Peters, chairman of the Homeland Security and Governmental Affairs Committee, and Portman, the committee’s ranking member.
An April Paubox cybersecurity blog explored the Cyber Incident Reporting Act. This bill adds to reporting requirements already in place such as the HIPAA Notification Rule. Critical infrastructure must report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
The update to the Federal Information Security Modernization Act improves coordination and communication between federal agencies. This includes CISA as well as the Department of Health and Human Services, which oversees HIPAA.
Finally, the Federal Secure Cloud Improvement and Jobs Act provides better, safe access to cloud technology. Improved access would be through FedRAMP, the Federal Risk and Authorization Management Program, tasked with creating cloud security standards.
The Strengthening American Cybersecurity Act needs to go to the House for consideration and final approval.
Why the Strengthening American Cybersecurity Act and others?
According to Senator Peters,
This landmark, bipartisan legislative package will provide . . . the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches.
In other words, new cyber legislation would strengthen protections. Especially given the recent onslaught of cyberattacks (e.g., AvosLocker ransomware) against critical infrastructure.
For example, the 2021 Colonial Pipeline ransomware attack disrupted the nation’s fuel supply. And of course, many countries have seen an increase in cyberattacks by nation-state threat actors related to the current situation in Ukraine.
New laws that address cyber threats can only strengthen security; this new act aims to standardize cybersecurity and response. Especially for critical infrastructure like healthcare.
The U.S. House may not accept the bill as is. But obviously, the U.S. government understands the need to revamp its current tactics.
Bolster cybersecurity using a risk-based approach
If nothing else, an increase in legislation should demonstrate that critical infrastructure need to fortify their networks. And one such method is to utilize more of a risk-based approach.
A cyber program that focuses on risks encourages organizations to identify weaknesses and develop strategies to mitigate them. In fact, a risk assessment demonstrates an organization’s unique needs while also identifying what needs protection and how.
For example, employees may frequently share passwords or use their own devices for work-related tasks. Knowing that employees may be the weakest link should then influence an organization to focus on up-to-date employee training and strict policies on access control.
A business continuity plan, in fact, plays a huge role in risk management and disaster planning.
Bolster cybersecurity using zero trust approach
But to make any system even more secure, organizations must also consider using a zero trust approach. In short, zero trust means trusting no one automatically; consider everyone a possible threat. Risk is managed by limiting certain parts of or data (e.g., PHI) on a network.
So zero trust security gives zero trust to every user and every email sent/received using a few core principles:
- Multi-factor authentication
- Least-privilege access
- Activity monitoring
Zero trust restricts access to the bare minimum, requiring users to repeat verification and monitor all access.
At the beginning of this year, the U.S. government finalized its Federal Zero Trust Strategy for all federal agencies as well as organizations that work with them. Federal agencies must adopt the government’s zero trust goals by the start of the fiscal year 2024.
And what cyber defense methods fit both approaches?
Focusing on risks encourages organizations to go on the offensive.
And zero trust ensures network security covers all endpoints and attack surfaces. Depending on an organization’s needs, tactics to consider when creating a complete risk-based, zero trust plan include:
- Data access and management
- Secured legacy systems
- Encryption for data in transit and at rest
- Mobile security
- Endpoint security
And of course, email security to strengthen the most accessed threat vector. Paubox is dedicated to providing the best email cybersecurity technology. Paubox Email Suite Plus allows covered entities to send HIPAA compliant email and protect sensitive data with two-factor authentication and robust inbound security tools.
And with our Zero Trust Email, we ask for another layer of authentication before an email is even delivered to an inbox. Only time will tell us what happens to U.S. legislation. In the meantime, create your own barriers and boundaries and safeguard your networks.