Joint Cybersecurity Advisory issued; Internet of Things Cybersecurity Act updates

Since Physicians Practice® has a wide breadth of readers, which include physicians that are owners in companies that participate in U.S. Government procurement processes with various government agencies, I wanted to provide an overview of some key terms and standards, as well as share some take-aways, which relate back to healthcare providers.

But, first, there are two recent cybersecurity items which deserve attention. The FBI and CISA issued a Joint Cybersecurity Advisory to warn of “a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass- scanning and uses tools, such as Nmap, to identify open ports.” Given the increase in cyberattacks during COVID-19, as well as the increase in telecommuting and telehealth, which were rapidly deployed, it is critical for covered entities, business associates, and subcontractors to conduct their annual risk analyses.

Another item is the House passing the Internet of Things (IoT) Cybersecurity Improvement Act, which was initially introduced in the Senate in 2017 and reintroduced in 2019. The bill received bi-partisan support to improve “the cybersecurity of Internet-connected devices by requiring that devices purchased by the U.S. government meet minimum-security requirements.” If adopted, the bill would require the following:

• Require the National Institute of Standards and Technology (NIST) to issue standards and guidelines addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
• Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
• Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
• Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
• Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.

Many of these requirements are similar to other areas of procurement. First and foremost, the National Institutes for Standards and Technology (“NIST”) requirements must be met. This makes sense because the U.S. Government has these compulsory requirements internally. In order to mitigate the risk of hiring a vendor with inadequate technical, administrative, and physical safeguards, the Government uses NIST as a foundation.

NIST is also incorporated into a variety of laws including, but not limited to the following:

• The Federal Acquisition Regulation (“FAR”) - The purpose of “[t]he Federal Acquisition Regulations System is established for the codification and publication of uniform policies and procedures for acquisition by all executive agencies. The Federal Acquisition Regulations System consists of the Federal Acquisition Regulation (FAR), which is the primary document, and agency acquisition regulations that implement or supplement the FAR.” See 48 C.F.R. § 1.101. Basically, FAR provides the groundwork for procurement.
• The Procurement Integrity Act - was amended in 1996 under the National Defense Authorization Act, Pub. L. 104-106 (Feb. 10, 1996), implemented through FAR, 48 C.F.R. § 3.104. Its primary purpose was to ensure integrity in the Federal government’s procurement process.
• Federal Risk and Authorization Management Program (“FedRAMP”) – was created to provide a “standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. NIST advises FedRAMP on FISMA compliance requirements and assists in developing the standards for the accreditation of independent 3PAOs.”

What can physicians, covered entities, and business associates take-away from the government procurement process? First, NIST standards should be incorporated into an entity’s annual HIPAA risk analysis and related policies and procedures. Second, providers contract with the Centers for Medicare and Medicaid Services to participate in Medicare, Medicaid, and TRICARE–read the provider agreement, as well as the attestation portion of the CMS and TRICARE claim forms. Lastly (and it should really go without saying), be truthful when submitting any document to the government, especially when payment is involved.

_{About the Author}

_{Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.}