UnHack (the News): New York Cyber Mandate, HIPAA’s Future, and Workforce Inclusion with Kate Pierce
[00:00:00] Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.
Learn more at fortifiedhealthsecurity. com
Today on Unhack the News.
(Intro) we have such a skills gap and yet there's only like 25 percent females in the cyber security space right now.
So we've got a lot of untapped potential there
Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a [00:01:00] mostly plain English, mostly non technical show covering the latest and most important security news stories.
. And now, this episode of Unhack the News. (Main)
Hey everyone.
I'm Drex and this is Unhack the News where I spend a little bit of time talking to really smart people about some of the stuff that's happening in healthcare cybersecurity. My guest today is Kate Pierce from Fortified Health Security. Welcome to the show, Kate.
Oh, thanks, Drex. It's such an honor to be asked to meet with you and have a chat about cybersecurity.
It's always good to talk to you. We're on the Health Sector Coordinating Council Cybersecurity Working Group together. I'll see you next week in San Diego in person, so we'll be able to break bread together. But I'm glad I get to talk to you now. There's just so many things to talk about. So many interesting things that are happening.
Let's start with, there've been a lot of stories about the New York state hospital cyber regulations that passed in October. This has been going on for a while, like when they were proposed. And I know that we, I probably talked about it in Unhack the News and on the Two Minute [00:02:00] Drill as part of, as everything unfolded, but.
Like now it's unfolded, right? It's real. You've dug into this. You spend a lot of time thinking about this stuff. What do we all need to know?
I think, what we're seeing is New York State taking the lead in cyber policy for healthcare organizations. I think they, were waiting initially for maybe the federal government to come out and take the lead but we haven't seen that.
And so they said, hey, you know what, we need to protect the hospitals within our state. And so they developed a very comprehensive set of cybersecurity regulations that are going to affect about just over 200 hospitals in the state of New York. The. proposed rule went into effect October 2nd.
So that became official October 2nd of 2024. And immediately those hospitals have to respond to their state if there's a cyber incident within 72 hours. So there was part of that rule that became immediately in effect. And then there are a number of other regulations [00:03:00] for hospitals that hospitals will need to follow within a year.
So they've only got until October 2nd of 2025 to implement those rules. And they're very comprehensive when you look at it. They're above and beyond anything we see in HIPAA right now. Effectively one of the things that stood out to me is every organization has to name a chief information security officer, and it can be an employee or it can be outsourced, but they have to be qualified.
Yeah, what does that mean, qualified? How are they defining that?
They've got some verbiage in the rule that talks about how it has to be someone who has experience, who has the ability to assume that role. I don't want to get into the exact details, but it can't be just you go into someone's office and say, you're it, tag.
It has to be someone who really understands what cyber security programs should look like. And they have a long laundry list of things that they're going to be overseeing. [00:04:00] For the hospital as they develop the cybersecurity programs for those facilities. So it's not for the faint of heart to become a CISO in a New York hospital right now.
And they're calling for most everything they're calling for is not outside the scope of What we see in the cybersecurity performance goals, or even if you're following the NIST CSF framework, it's pretty much follows along with what's outlined there. They're just saying, hey, it's no longer voluntary in the state of New York.
This is mandatory by October 2nd of 2025, and we're already over a month in so you've got 10 and a half months now to get your house in order in New York.
Has it we're there. Some funds that came with this or was this sort of SANS funding? You need to get your house in order and we're going to be looking in 11 months or whatever it is?
No, kudos to New York because they have already appropriated 650 million dollars to make this program effective. What we're [00:05:00] seeing is, they've got certain amounts that are designated depending upon the size of your facility that are set aside now for you to implement this program, and they actually identify the fact that this is not a one and done type thing.
This is an ongoing process that's going to need year over year funding. When you think about it, they're proposing 650 million for this. Government has proposed 1. 3 billion for the entire country, so we can see that they're actually taking it very seriously in New York.
Yeah, that's a lot.
So you said it's broken down by hospital size or hospital type. Can you tell me more about what that means?
So in New York, it defines the hospitals by size and they're stating in the regulation that if you are a hospital with 10 or fewer acute, inpatient beds, that they're estimating your annual cost is going to be between 50 and 200, 000, whereas medium sized hospitals that are defined as between 10 and 100 beds have an ongoing cost of approximately [00:06:00] 200 to 500, 000.
And for large facilities their cost estimates are up to 2 million a year. So they've actually really thought it through and thought about how the size of the hospital affects the amount of funding that, that you would be allocated and how you can do it, as I said before, not just a one on done, but this is your year over year funding to help you with your cyber program.
So
I like it. It's going to be multi year program too. That's cool. What do you think, just, I know none of us know, and this is you me asking you to get your magic 8 ball out and give it a good shake. What's this mean for other states as we watch this unfold in New York and other people who are listening to this from around the country or are watching what's happening in New York?
What do you think it means for them?
I think, New York has always been a leader when it comes to regulatory items. So as we sit back and watch and think about other states that are already leading the way with AI regulations and those types of things, I would [00:07:00] imagine that those states would also start thinking seriously about how they're, they can protect their hospital with cyber.
The. We should see something in California, maybe Colorado, Washington, Massachusetts, so there's a number of states that are known for being a leader when it comes to this type of regulation, so we'll see how that plays out over the next year or two. And, we'll see how accurate my magic 8 ball is.
I
think it's probably not bad. I agree with you. There's usually like a cascade of those first five or eight states that all go first on some of these things. So I'll keep my fingers crossed. I hope you're right. Let me ask you about something else. We'll switch to another story that I pushed out on the new site maybe a week ago or two weeks ago.
I was rereading that today. Take care. Bye. The HIMSS Cyber Forum in Washington, D. C. that just a couple of weeks ago, right? You were on a panel or two or something there. How'd it go? What [00:08:00] did you gather from that? What are some of the takeaways that you were like? Maybe you knew, or maybe you were surprised about, but stuff people who weren't there, what did they, what could they get from that conference, from that forum?
I think it was really good. This forum started out with Greg Garcia, who is the Executive Director of the Health Sector Coordinating Council. And he made a tremendous number of great points just setting the stage for where we're at as a, as an industry with our cyber protections.
There was a lot of meat in his discussion. And if you haven't seen it or seen the preview of it it's worth a read. And so go to Drexel's site and read that whole area there. It was followed by Eric Decker, who again, talked about a lot of important things that are happening in cyber.
The panel that I was on was more about what is it like to be a CISO and in the healthcare industry and what does that mean? And how can we ensure that we're going to have a strong background of CISO talent and cybersecurity [00:09:00] workforce talent as we move forward? We know that this is a very talked about issue.
We saw President Biden come out with the National Cybersecurity Workforce and Education Plan in 2023, and they're starting to implement a lot of these training programs across the United States. But as the ISC2 or ISC squared report came out for 2024 October 31st it indicated that, despite the fact that we're continuing to grow more and more workers, we still have an increasing gap in the number of unfilled positions in the United States.
And there's a lot of reasons for that, right? It's tough to be a CISO. It's really
interesting stat. A 500, 000 shortage In the workforce. And yeah, why? How do we overcome that too? It's one of those things I think we all struggle with.
Yeah, I don't know that I have the answer to how do we overcome it, we are seeing like an [00:10:00] increasing decline in satisfaction, job satisfaction for CISO.
So you're seeing like a 24 month average turnover in that position. So people, are in that position. It's a very high stress load. It's hard to maintain for a long time, especially if you're looking for that work life balance or work life harmony. Yeah, there, there's also a big continuing growth in skills gaps.
It's like you may have people that are filling those positions, but they may not have the skills that you need as our industry looks toward, newer skills where we're seeing, I think the report indicated that in health care 94 percent of organizations said they had a skills gap for within their organization and the two primary skills that they're saying That they really need to train staff on are our AI and cloud security.
So those two continue to top that list of skills gaps. So it'll be interesting to see how we continue to grow and meet the needs of [00:11:00] our cyber workforce over the next few years. Some of the things I know I've seen are organizations. Partnering with local schools or colleges to ensure that they're building a partnership there to ensure that they've got people coming out of those schools that are meeting the needs that they're seeing within their industry.
I know my old hospital, we used to partner with Our actual local high school and they had students that come around and would round with us and sit with us for a couple of days and see what the work is that we're doing and just garner that interest within that workspace. I don't have all the answers, but I can say, we need to figure out how we keep our qualified cyber staff happy.
What are the things that we can do as directors and managers and CISOs to ensure that they have, satisfaction within their job and that we can allow them whenever possible to have that work life balance that, that keeps people, interested in the [00:12:00] positions.
It definitely gets you and I both know people who have been through cyber events at their facilities and when that happens, your work life balance is out of whack and usually not just for a week.
This can go on for months before any kind of balance returns and sometimes that's a thing that is enough for somebody to say, I just can't do it anymore. I gotta go. The other thing that I know that you all talked about is the chronic problem of not enough females in the industry, in the healthcare cybersecurity space.
And we talk about that internally a lot too, as we put together forums or our own summits and our own, city tours like we actively take this role of okay, more, more minorities, more women, but it can be a challenge sometimes depending on the market you're going to and the places you're going to there may not be a lot of females in the business.
So I'll ask you again, like, how do we help that problem? How do we get through that?
I've always been a proponent of, the most qualified people for the job should be the ones that get the [00:13:00] job. And right now, I think there's been historically a mindset from in the industry that this is considered, more of a man's world.
And I don't know that it's going to be, we're going to change that attitude overnight, but the more that we continue to advocate for the STEM type roles for women at early ages and break down that barrier that, you don't belong there or, women are much more.
likely to have imposter syndrome, where I feel like I, I don't qualify for this job, so I'm not going to apply if I don't check all the boxes, right? Whereas men will say, hey, I checked two out of the ten, I'll give it a whirl. It's a different mindset. And, it is going to take some time for us to break through that.
I can remember sitting in some of my high level math classes and I took calculus based physics and I looked around and I was like the only woman in the room and I thought, I was a little apprehensive and I talked to my professor [00:14:00] after and he goes, he just looked at me and he said, you're going to be fine.
And I worry about all those boys
in the class, but I'm not worried about you.
Yeah. Yeah. And I was fine. It's just a matter of how do we help women to get over those challenges of being less than and help promote ourselves within the industry.
And I have joined a group called Women in Cyber Security. Yeah. And it's been very active. They now have a healthcare branch of that. And so I love working with that group just because I know that, there are a lot of folks that need support from each other. And it's been a good thing for women in cyber to, to be part of that organization.
I years ago, Drexel, you saw it, where women in health care, And now I think we're at about 50 50. Yeah. It'll just take a few years for us to also move into that security role.
One of your suggestions too earlier about the pipeline of how do we get good people into the business, and keep them coming in.
I know a lot of [00:15:00] organizations have partnered with their community colleges and with their universities and they have internship programs. You talked about having high school kids come in and do tours and spend some time with you. Both boys and girls, young men and young women coming in and seeing that environment and seeing what the job is like, helps, you Really open them up, I think, too, to this idea of, I could do that, or I think I would like doing that, or that seems like a really interesting and important job, maybe that's something I should consider, and I've never considered it before.
Hopefully, all of that creates this more diverse pipeline for cybersecurity, because we definitely need it.
Yeah, and I think it's important that the women that are in cybersecurity Those that are thinking about it, those that are considering coming in, just to provide an avenue for them, provide some, mentorship for them to help grow and reach that.
I actually met with an individual yesterday that was recommended to me just to meet with her and, talk about what challenges she's seeing and how she can move [00:16:00] forward to address those and become part of the community. And it's interesting that we have such a skills gap and yet there's only like 25 percent females in the cyber security space right now.
So we've got a lot of untapped potential there. Especially when I was looking at the ICS squared report and it said 58 percent said that staffing shortages in cyber are putting their organizations at risk and an additional 74 percent said that the cyber landscape is the worst they've ever seen.
So when you've Think about, like how can you remediate that and recruit and retain staff? we need to be totally inclusive in that,
yeah, let me hit you on one other question HIPAA regs. HIPAA regs are being revised. This is one of those things that happens from time to time.
A little color in the box over here, a little color in the box over there. But it feels like they're going after it in a bigger way now. What can you tell us about the [00:17:00] adjustments that may be coming in, in the HIPAA regulations?
I would say the HIPAA regulations may have changed over the years, but they have not adjusted the HIPAA security rule for 23 years.
And it's obviously not at a point currently where it can address the security landscape that we're facing today. HHS in their cyber security strategy document from December of last year indicated they were going to address the HIPAA security rule or consider changes to the HIPAA security rule in the spring of 2024.
They began considering them in the spring. In October, they submitted recommendations to the White House OMB for changes and updates to the HIPAA security rule. So we're seeing their plan was to have those changes go to NPRM or notice of proposed rulemaking by the end of this year for consideration in a 60 day comment [00:18:00] window.
That was the that's the plan. And will we stick to that plan? That's still to be determined, but I would see that HIPAA security rule change, security and healthcare in general, is a bipartisan issue. I would hope that we continue on this path to make some progress there.
It's a long road. The HIPAA security rule changes are long overdue. This is just me gassing with my magic eight ball again. I think we will see that NPRM come out. But I think that the comment period is currently set for 60 days. That may be extended, like we saw with the CERCIA rule.
And we may have a longer period for changes. Perhaps the current administration has some different ideas about what that might look like, but I don't think that this will completely stall and go away. I think it may be delayed a little bit, but I think we'll see it pass. possibly in 2025.
That's my magic 8 [00:19:00] ball prediction because as we look at the HHS proposed FY 2025 budget, we see the CPGs being required or, being incentivized by 2027. So how do we move these CPGs from voluntary to mandatory and what are the different levers that we're seeing in order to do that? I also saw an article just last week that indicated there are some proposed alignment with the CPGs and the MIPS when you see the merit based incentive program potentially being tagged with some incentives for providers that are meeting the CPGs, so that might be another interesting approach to ensure that these cyber performance goals are being Parts of the healthcare industry.
Yeah, I, it's, it is we didn't get here overnight. There's a little bit of orchestra conducting that's going to have to happen, I think, to get us [00:20:00] to where we really want to be, and there's lots of moving parts. I really appreciate you being on the show today, walking us through some of it from state to federal and in between.
Thanks again for being here. Kate Pierce from Fortified.
Hey, my pleasure. Great to see you as always, Drex. See you next week.
Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.
Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.