Image: Kindamorphic/Getty
Along with the budgetary lapse that led to the ongoing government shutdown, the end of the federal fiscal year on Sept. 30 has come with another key challenge for healthcare: the expiration of the 2015 Cybersecurity and Infrastructure Security Agency Sharing Act, known as CISA 2015.
That lapse – especially combined with the myriad other challenges posed by the shutdown – should be a wake-up call for hospitals and other healthcare organizations that struggle with data security even on a good day, says Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center (Health-ISAC), a nonprofit, member-based, private-sector organization.
Incentivizing threat information sharing
The CISA Sharing Act, which was signed into law a decade ago with bipartisan support, sought to bolster cybersecurity resilience by setting up a framework for organizations to share threat indicators and other security intelligence with the feds and with each other.
To encourage private companies to report information about potential cybersecurity threats, CISA 2015 also offered protections from some regulatory enforcement and certain liabilities that could arise from such sharing.
But – along with some other hugely useful healthcare provisions – the law expired this past month when Congress failed to reauthorize the government funding bill due to an impasse on massive health spending cuts.
With that lapse, there is now widespread concern among lawmakers and security analysts that a key pipeline of threat intelligence information will slow dramatically, putting many organizations, health systems not the least among them, at risk of "flying partially blind" against ever-present and fast-evolving cybersecurity threats.
Without the protections explicitly offered by CISA 2015, legal counsel at healthcare and other organizations may now be scared off from sharing information due to worries about liability and class action lawsuits, Weiss acknowledges.
But he urges C-suite executives to continue embracing the spirit of the law and reframe that potential issue as a business risk. That requires a shift in cybersecurity discussions, he says, and an acknowledgment that the benefits of information sharing still outweigh the liabilities.
Weiss notes that healthcare organizations that prioritize peer-to-peer information sharing could contribute threat information anonymously and help safeguard others in healthcare – while also helping prevent the loss of established collaborative cyber defense relationships that have formed over the past decade or so.
He also sees tangible benefits to healthcare organizations, such as faster recovery from incidents, a better understanding of new threats and improved staff skills, when they stay in touch about cybersecurity intelligence.
In this Q&A, Weiss also explains how – especially given the recent unreliability of federal support amid tumult in Washington – healthcare organizations that maintain a cybersecurity posture that's self-reliant and proactive can "save time, energy and reputation."
Q. What do healthcare organizations need to know about the status of federal threat intelligence information and programs that they have come to rely upon?
A. There's a lot of great information from the government [and] law enforcement, and there are some really impactful advisories and bulletins that we see from them.
I always tell our members that when we publish an alert that has the Federal Bureau of Investigation seal on it, for example, they're talking about active exploitation and victims; they're working active cases, and these are people who have had a high impact on their organizations as a result of these attacks.
We want to pay attention to what's in those reports and learn from them. Without the protections in place, I feel we're going to see less sharing, fewer reports like that from the FBI, and we will ultimately be more vulnerable as a result.
Since the 2015 law was put in place, that's probably going to take the biggest hit where organizations are less likely to want to share with the federal government because of the lack of liability protections, and also the Freedom of Information Act protections.
Since January and the new administration, and then certainly since the government shutdown, the other impact I see is just regular meetings that we've had with analysts at CISA or [the Department of Health and Human Services] have slowed down. It was starting to pick up a bit in September. But then, of course, now with the shutdown, we're not seeing any of that.
All these relationships we have, they just take so long to develop. We're finally getting into a groove with some people that we see regularly on analyst calls. For example, we get cyber threat intelligence analysts to sit down and have a productive information exchange on a bi-weekly level. It's great that we've had some long-term relationships and trust built there.
But, with the slowdown since January, and now with the shutdown, that's all coming to a screeching halt, which is tough to see. I just don't know who's going to come back to the table. So we might have to start that relationship building all over again, unfortunately.
When Ray Kelly, a former New York police commissioner, was asked about post 9/11 anti-terrorism countermeasure spending on the 60 Minutes news program, his answer was basically, "I'm not waiting around for the federal government to protect New York City. We have to take matters into our own hands."
That left a lasting impression on me. I feel very much the same when it comes to the private sector and cybersecurity.
We've got to be more proactive. We've got to take this into our own control. We can't rely on the federal government, especially when we've seen what happens from potentially from one administration to the next – how things can change dramatically. The cutbacks in federal spending, the cutbacks in CISA, are certainly impacting organizations that relied on those services at one point.
Q. It's only been a week so far, but since the expiration of CISA 2015, with the absence of legal protections, do you see healthcare organizations starting to hold back on information sharing?
A. For the most part we've seen really no change in the private sector peer-to-peer sharing that's happening through Health-ISAC, which is a member-based organization.
ISACs have been around since 1999, well before the CISA act came into effect in 2015. [Health-ISAC was formed as a healthcare-specific entity in 2010.] While we've been constantly educating organizations about the benefits of information sharing – and we were able to protect that information that's being shared through various mechanisms – certainly, we welcomed the law when it came into effect in 2015 because it provided more protections for organizations.
When it came to sharing and collaborating, leading up to Sept. 30, I was saying, "I don't want to lose the momentum that we've gained through all of the years of education and the benefits that we got from CISA 2015."
But here we are now, and maybe there are going to be organizations that are less likely to share because of the lack of liability protection and potential risks that they see in sharing.
I've seen large multinational companies unwilling to share and then I've seen others that do, and I think we've seen organizations that want to get ahead of potentially negative press and be proactive, get out there, share, talk about what happened, get out in front of their customers and explain what happened and what they're doing about it.
I've seen all extremes and in all kinds of different organizations. It's just the culture of the organization and just listening to legal counsel and making a decision based on what they say. And when that happens, I know what the answer is. They're not going to share. They're going to clam up, and nothing's going to come out.
When I'm talking to organizations that I know are experiencing an incident, I'm trying to work with them to get indicators of compromise. But it can take a lot of work to get to that point.
Q. What is your advice to C-suite executives who want to maintain their cybersecurity posture but are wary of liability when it comes to information sharing?
A. The ransomware attack numbers are still increasing, and it's concerning. And I'll tell you that in 2025, we're on track to exceed the total number we saw last year.
One of the findings from some of the exercises and tabletop exercises that we've done at Health-ISAC is on educating the C-suite on the benefits of information sharing to change the equation from an incident as "just a legal issue" to a business risk discussion.
The lawyers definitely will say there are risks associated with information sharing: "Here's what could happen." Probably the No. 1 issue is threats of class action lawsuits if the organization were to disclose information and it becomes public.
But, we want the C-suite to understand what the benefits are, and we can talk about faster recovery, understanding what the new threats and new vulnerabilities are when they're impacted by incidents and being able to get information from others who have gone through that.
Having staff participate in information-sharing communities, if they're able to, is another way to learn. It's another way to hone their skills. It's another way to improve their soft skills. We hope to show that the benefits far outweigh the risks, and therefore, the logical conclusion is to continue to share.
That's essentially where we are today, and now we have to do a little bit more education around the benefits over the risk.
One final point there on the risk is that Health-ISAC certainly offers ways for those organizations to be able to share with the network anonymously.
We know it came from another member, we just don't know who, and we can take that information – whether it's an incident, the indicators of compromise or the description of the impact to the organization – and learn from it and then use that to help protect our own networks.
People don't necessarily care who it came from; they just need to know what happened and how they can use it to protect themselves.
Q. What should organizations do if they learn about a cyberattack during the shutdown?
A. There are two things I would say. First, there is a responsibility to the community to share what we know about what happened in that incident because we don't want to see other victims as a result of this; we have a duty to help protect others.
Second, you may learn something by sharing. If you could put it out there and talk about what happened, you might have the benefit of being connected to somebody who's been through it as well, and I can learn from them. What did they do? How did they recover? What worked well? What didn't work so well, and what should we be doing as a result of all of that?
It could save time, energy and reputation by being able to recover quicker if you're out there talking about this as opposed to just hiding.
Healthcare IT News has reached out to the Health Sector Cybersecurity Coordination Center and HHS to inquire about the status of threat alert services and federal intelligence sharing during the shutdown, and will post updates if they are provided.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
