HHS not required to issue more cybersecurity regulations

The U.S. Department of Health and Human Services has sufficient voluntary measures in place to address cybersecurity, making further regulations unnecessary, the White House announced.

It was one of three agencies, along with Homeland Security and the Environmental Protection Agency, told they don't need to come up with more rules. The announcement, written by Michael Daniel, White House cybersecurity coordinator, did not address other federal agencies.

A February 2013 presidential executive order required agencies to determine whether existing regulations were sufficient and could be better aligned with the National Institute of Standards and Technology cybersecurity framework released last February.

This "doesn't mean that we don't have more work to do to secure our critical systems and information throughout the country. Nor does it mean that we can stop working to ensure that regulations as written are clear, streamlined, and harmonized. It does mean that agencies with regulatory authority have determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to those systems," Daniel wrote.

In its response, HHS had argued that its regulatory requirements were sufficient, but has undertaken other activities to reduce the cyber risk of private sector critical infrastructure partners.

These include the Critical Infrastructure Protection Program conducted jointly with the Agriculture Department and the Food and Drug Administration. A cyber security primer was distilled into a fact sheet and checklist for the healthcare industry. It also launched its Critical Infrastructure Cyber Community (C3) Voluntary Program to coordinate cross-sector cybersecurity efforts.

The FBI's warning in April about healthcare's vulnerability to cyber attack was just one of a flurry of cautions issued lately. Simulated attacks carried out by HHS and HITRUST revealed that many organizations need to go back to basic security "block and tackling" and the industry needs to be more open about its issues to increase overall awareness.

To learn more:
- read the White House announcement
-  here's the HHS report
- learn about the C3 program