UnHack (the News): New York Cyber Mandate, HIPAA’s Future, and Workforce Inclusion with Kate Pierce
[:Learn more at fortifiedhealthsecurity. com
Today on Unhack the News.
(Intro) we have such a skills gap and yet there's only like 25 percent females in the cyber security space right now.
So we've got a lot of untapped potential there
d this is Unhack the News, a [:
. And now, this episode of Unhack the News. (Main)
Hey everyone.
I'm Drex and this is Unhack the News where I spend a little bit of time talking to really smart people about some of the stuff that's happening in healthcare cybersecurity. My guest today is Kate Pierce from Fortified Health Security. Welcome to the show, Kate.
Oh, thanks, Drex. It's such an honor to be asked to meet with you and have a chat about cybersecurity.
It's always good to talk to you. We're on the Health Sector Coordinating Council Cybersecurity Working Group together. I'll see you next week in San Diego in person, so we'll be able to break bread together. But I'm glad I get to talk to you now. There's just so many things to talk about. So many interesting things that are happening.
e News and on the Two Minute [:Like now it's unfolded, right? It's real. You've dug into this. You spend a lot of time thinking about this stuff. What do we all need to know?
I think, what we're seeing is New York State taking the lead in cyber policy for healthcare organizations. I think they, were waiting initially for maybe the federal government to come out and take the lead but we haven't seen that.
And so they said, hey, you know what, we need to protect the hospitals within our state. And so they developed a very comprehensive set of cybersecurity regulations that are going to affect about just over 200 hospitals in the state of New York. The. proposed rule went into effect October 2nd.
nd of:So they've only got until October 2nd of 2025 to implement those rules. And they're very comprehensive when you look at it. They're above and beyond anything we see in HIPAA right now. Effectively one of the things that stood out to me is every organization has to name a chief information security officer, and it can be an employee or it can be outsourced, but they have to be qualified.
Yeah, what does that mean, qualified? How are they defining that?
They've got some verbiage in the rule that talks about how it has to be someone who has experience, who has the ability to assume that role. I don't want to get into the exact details, but it can't be just you go into someone's office and say, you're it, tag.
y're going to be overseeing. [:And they're calling for most everything they're calling for is not outside the scope of What we see in the cybersecurity performance goals, or even if you're following the NIST CSF framework, it's pretty much follows along with what's outlined there. They're just saying, hey, it's no longer voluntary in the state of New York.
nd of:Has it we're there. Some funds that came with this or was this sort of SANS funding? You need to get your house in order and we're going to be looking in 11 months or whatever it is?
rogram effective. What we're [:This is an ongoing process that's going to need year over year funding. When you think about it, they're proposing 650 million for this. Government has proposed 1. 3 billion for the entire country, so we can see that they're actually taking it very seriously in New York.
Yeah, that's a lot.
So you said it's broken down by hospital size or hospital type. Can you tell me more about what that means?
ngoing cost of approximately [:And for large facilities their cost estimates are up to 2 million a year. So they've actually really thought it through and thought about how the size of the hospital affects the amount of funding that, that you would be allocated and how you can do it, as I said before, not just a one on done, but this is your year over year funding to help you with your cyber program.
So
I like it. It's going to be multi year program too. That's cool. What do you think, just, I know none of us know, and this is you me asking you to get your magic 8 ball out and give it a good shake. What's this mean for other states as we watch this unfold in New York and other people who are listening to this from around the country or are watching what's happening in New York?
What do you think it means for them?
ose types of things, I would [:The. We should see something in California, maybe Colorado, Washington, Massachusetts, so there's a number of states that are known for being a leader when it comes to this type of regulation, so we'll see how that plays out over the next year or two. And, we'll see how accurate my magic 8 ball is.
I
think it's probably not bad. I agree with you. There's usually like a cascade of those first five or eight states that all go first on some of these things. So I'll keep my fingers crossed. I hope you're right. Let me ask you about something else. We'll switch to another story that I pushed out on the new site maybe a week ago or two weeks ago.
ing there. How'd it go? What [:I think it was really good. This forum started out with Greg Garcia, who is the Executive Director of the Health Sector Coordinating Council. And he made a tremendous number of great points just setting the stage for where we're at as a, as an industry with our cyber protections.
There was a lot of meat in his discussion. And if you haven't seen it or seen the preview of it it's worth a read. And so go to Drexel's site and read that whole area there. It was followed by Eric Decker, who again, talked about a lot of important things that are happening in cyber.
ISO talent and cybersecurity [:We saw President Biden come out with the National Cybersecurity Workforce and Education Plan in 2023, and they're starting to implement a lot of these training programs across the United States. But as the ISC2 or ISC squared report came out for 2024 October 31st it indicated that, despite the fact that we're continuing to grow more and more workers, we still have an increasing gap in the number of unfilled positions in the United States.
And there's a lot of reasons for that, right? It's tough to be a CISO. It's really
interesting stat. A 500, 000 shortage In the workforce. And yeah, why? How do we overcome that too? It's one of those things I think we all struggle with.
me it, we are seeing like an [:So you're seeing like a 24 month average turnover in that position. So people, are in that position. It's a very high stress load. It's hard to maintain for a long time, especially if you're looking for that work life balance or work life harmony. Yeah, there, there's also a big continuing growth in skills gaps.
It's like you may have people that are filling those positions, but they may not have the skills that you need as our industry looks toward, newer skills where we're seeing, I think the report indicated that in health care 94 percent of organizations said they had a skills gap for within their organization and the two primary skills that they're saying That they really need to train staff on are our AI and cloud security.
o grow and meet the needs of [:I know my old hospital, we used to partner with Our actual local high school and they had students that come around and would round with us and sit with us for a couple of days and see what the work is that we're doing and just garner that interest within that workspace. I don't have all the answers, but I can say, we need to figure out how we keep our qualified cyber staff happy.
ps people, interested in the [:It definitely gets you and I both know people who have been through cyber events at their facilities and when that happens, your work life balance is out of whack and usually not just for a week.
This can go on for months before any kind of balance returns and sometimes that's a thing that is enough for somebody to say, I just can't do it anymore. I gotta go. The other thing that I know that you all talked about is the chronic problem of not enough females in the industry, in the healthcare cybersecurity space.
And we talk about that internally a lot too, as we put together forums or our own summits and our own, city tours like we actively take this role of okay, more, more minorities, more women, but it can be a challenge sometimes depending on the market you're going to and the places you're going to there may not be a lot of females in the business.
So I'll ask you again, like, how do we help that problem? How do we get through that?
uld be the ones that get the [:And I don't know that it's going to be, we're going to change that attitude overnight, but the more that we continue to advocate for the STEM type roles for women at early ages and break down that barrier that, you don't belong there or, women are much more.
likely to have imposter syndrome, where I feel like I, I don't qualify for this job, so I'm not going to apply if I don't check all the boxes, right? Whereas men will say, hey, I checked two out of the ten, I'll give it a whirl. It's a different mindset. And, it is going to take some time for us to break through that.
and I talked to my professor [:And I worry about all those boys
in the class, but I'm not worried about you.
Yeah. Yeah. And I was fine. It's just a matter of how do we help women to get over those challenges of being less than and help promote ourselves within the industry.
And I have joined a group called Women in Cyber Security. Yeah. And it's been very active. They now have a healthcare branch of that. And so I love working with that group just because I know that, there are a lot of folks that need support from each other. And it's been a good thing for women in cyber to, to be part of that organization.
I years ago, Drexel, you saw it, where women in health care, And now I think we're at about 50 50. Yeah. It'll just take a few years for us to also move into that security role.
One of your suggestions too earlier about the pipeline of how do we get good people into the business, and keep them coming in.
I know a lot of [:Hopefully, all of that creates this more diverse pipeline for cybersecurity, because we definitely need it.
Yeah, and I think it's important that the women that are in cybersecurity Those that are thinking about it, those that are considering coming in, just to provide an avenue for them, provide some, mentorship for them to help grow and reach that.
seeing and how she can move [:So we've got a lot of untapped potential there. Especially when I was looking at the ICS squared report and it said 58 percent said that staffing shortages in cyber are putting their organizations at risk and an additional 74 percent said that the cyber landscape is the worst they've ever seen.
So when you've Think about, like how can you remediate that and recruit and retain staff? we need to be totally inclusive in that,
yeah, let me hit you on one other question HIPAA regs. HIPAA regs are being revised. This is one of those things that happens from time to time.
at can you tell us about the [:I would say the HIPAA regulations may have changed over the years, but they have not adjusted the HIPAA security rule for 23 years.
ecurity rule in the spring of:They began considering them in the spring. In October, they submitted recommendations to the White House OMB for changes and updates to the HIPAA security rule. So we're seeing their plan was to have those changes go to NPRM or notice of proposed rulemaking by the end of this year for consideration in a 60 day comment [00:18:00] window.
That was the that's the plan. And will we stick to that plan? That's still to be determined, but I would see that HIPAA security rule change, security and healthcare in general, is a bipartisan issue. I would hope that we continue on this path to make some progress there.
It's a long road. The HIPAA security rule changes are long overdue. This is just me gassing with my magic eight ball again. I think we will see that NPRM come out. But I think that the comment period is currently set for 60 days. That may be extended, like we saw with the CERCIA rule.
e'll see it pass. possibly in:That's my magic 8 [00:19:00] ball prediction because as we look at the HHS proposed FY 2025 budget, we see the CPGs being required or, being incentivized by 2027. So how do we move these CPGs from voluntary to mandatory and what are the different levers that we're seeing in order to do that? I also saw an article just last week that indicated there are some proposed alignment with the CPGs and the MIPS when you see the merit based incentive program potentially being tagged with some incentives for providers that are meeting the CPGs, so that might be another interesting approach to ensure that these cyber performance goals are being Parts of the healthcare industry.
o happen, I think, to get us [:Thanks again for being here. Kate Pierce from Fortified.
Hey, my pleasure. Great to see you as always, Drex. See you next week.
Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.
Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.