Trump’s broad cybersecurity executive order has implications for HHS

Trump With Hand Raised
HHS is among the agencies that will submit a risk management report within 90 days under President Trump's cybersecurity executive order.

An executive order signed by President Donald Trump on Thursday aims to improve cybersecurity capabilities across the federal government, including the Department Health and Human Services, which has been repeatedly criticized over the last several years for not adequately addressing persistent vulnerabilities.

Although much of the executive order requires defense and law enforcement agencies to conduct a broad risk assessment of the government’s cybersecurity capabilities—highlighting concerns regarding the nation’s energy grid and the financial services sector—a portion of the directive requires critical infrastructure agencies to identify vulnerabilities that could affect public health or safety.

Under an executive order signed by President Barack Obama in 2013, the Department of Health and Human Services is identified as the sector-specific agency for healthcare and public health—one of 16 critical infrastructure sectors classified by the Obama administration. Trump’s order requires a thorough review of all sector-specific agencies within 180 days, and requires each agency head to provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget within 90 days.

RELATED: Editor’s Corner—HHS wasn’t included in Trump’s new IT council. Here’s the $6.5B reason it should be

The directive also requires each agency to adhere to the National Institute of Standards and Technology cybersecurity framework, an issue that certain departments within HHS continue to struggle with.  

In a press briefing on Thursday, Tom Bossert, assistant to the president for homeland security and counterterrorism, said cyberattacks on federal systems are trending in the wrong direction, and “sitting by and doing nothing is no longer an option.”

But the timetable laid out in the executive order is “not feasible,” Dan Tentler, founder of security firm Phobos Group told ZDNet.

“Unless they decide to be a bit more specific regarding risk, any 'risk report' that comes from a high level division of the government will probably be a picture of a guy with his head on fire, and 600 pages of screaming,” he added.

RELATED: Despite small improvements, HHS plagued by persistent cybersecurity gaps

The requirements outlined in the president’s directive—and the quick turnaround—may be a formidable task for HHS. Over the past several years, the agency has faced a barrage of criticisms from watchdog agencies regarding its cybersecurity vulnerabilities. Most recently, the Office of the Inspector General (OIG) highlighted 10 cybersecurity weaknesses, many of which were identified a year prior.

One of those vulnerabilities included the fact that operating divisions within HHS do not consistently implement the NIST framework.

Previous reports have slammed HHS for not prioritizing cybersecurity and allowing vulnerabilities to linger, although HHS CIO Beth Killoran has since made cybersecurity a key part of the agency’s strategic plan, adding that cybersecurity is the number one issue that keeps her up at night.

RELATED: HHS wants 30% of its systems on the cloud this year

Trump’s executive order also emphasized a preference for shifting government systems to the cloud rather than spending time protecting antiquated IT systems and seeks to address gaps in the nation's cybersecurity workforce. 

“We have to move to the cloud and protect ourselves instead of fracturing our security posture,” Bossert said.