October is National Cybersecurity Awareness Month and is an effort to raise awareness on the continued threats posed by cyberattacks and the activities that are being pursued to protect against future cyberattacks. The Secretary of the United States Department of Homeland Security (DHS), Kirstjen M. Nielsen, recently spoke about DHS’ efforts to protect against threats and secure the nation’s election systems. Secretary Nielsen described existing cybersecurity legislation, information sharing improvements, 2018 Election Day preparations and threats, and the 2017 Intel Community Assessment. The full discussion can be found here.
Beyond just securing our election system from cyber threats, many federal and national agencies are working hard to ensure other critical sectors including healthcare and public health are also protected from cyber threats. The U.S. Department of the Assistant Secretary for Preparedness and Response (ASPR) currently houses the Critical Infrastructure Protection (CIP) Program which protects essential goods, services, and functions of public health and healthcare from terrorist attacks or other hazards. ASPR also has a variety of relevant cybersecurity resources for healthcare and public health organizations housed on ASPR TRACIE.
The National Association of County and City Health Officials (NACCHO) also recognizes the need to build additional local health department (LHD) capacity in cybersecurity preparedness. In the 2016 Preparedness Profile Assessment Report, 37 percent of LHDs ranked cybersecurity as one their top three threats that they are most concerned with affecting their community in the future. In addition, only 26 percent of LHDs have conducted cybersecurity preparedness planning in the past year with even fewer LHDs doing trainings, exercises, and coordination with partners on cybersecurity (15, 1, and 9 percent, respectively). This disparity between perceived threat and action being taken to address the threat indicates more needs to be done to promote and advance preparedness efforts in this area.
During the 2018 Preparedness Summit, NACCHO hosted a plenary session on cybersecurity entitled “A Troubling Gap: Why Cyber Security Matters to Public Health Emergency Preparedness” (video recording available here). This discussion included panelists which discussed cybersecurity threats and the role of LHDs in responding to a cyberattack that impacts health department operations. This session will help health departments hoping to better understand how a cyberattack may impact their operations and provides strategies for how they can better prepare for cyberattacks.
NACCHO, in collaboration with ASPR, also conducted a needs assessment of LHD and healthcare cybersecurity preparedness to better understand the gaps and challenges that prevent cybersecurity preparedness planning from advancing. The needs assessment focused on two main topic areas: (1) cybersecurity preparedness strategies for public health and healthcare IT systems; and (2) cybersecurity incident recovery and information-sharing needs. The needs assessment questions were integrated into two sessions at the 2018 Preparedness Summit and a combination of qualitative and quantitative data was collected from conference attendees. The needs assessment revealed the following gaps persisted at the local level:
- Some participants indicated a minimal or non-existent role for their organization’s preparedness program in responding to a cybersecurity attack.
- There is increasing interest at the state and local levels to conduct cybersecurity planning, but there is a lack of public health-specific cybersecurity guidance, templates, and tools.
- Strategies to prepare for cyberattacks vary widely by jurisdictions; there are not well-recognized best practices for health departments to follow.
- There can be difficulties getting state and local leadership buy-in to pursue cybersecurity planning.
- Public messaging and strategies for information dissemination following a cyberattack vary among health departments.
NACCHO provided federal and national partners a number of recommendations to address these gaps including increasing the available guidance, resources, training, templates, and best practice examples to assist local health department preparedness efforts.
An additional product created as result of the data collected as part of the needs assessment was a fact sheet entitled “Cybersecurity Preparedness Considerations for Public Health and Healthcare Organizations.” This fact sheet provides information on roles, strategies, considerations, and barriers for public health and healthcare cybersecurity preparedness. NACCHO also published a report in 2014 which provides additional recommendations to help local health departments be better prepared for cyberattacks. These combined efforts and resources will hopefully raise awareness of cybersecurity issues at the local level and provide some key resources to help LHDs advance their cybersecurity planning.