Compliance & Legal

The Cybersecurity Infrastructure and Security Agency this week released a binding operational directive this week requiring federal agencies to patch known exploited vulnerabilities carrying "significant risk" to the federal enterprise. The directive also established a catalog of nearly 300 vulnerabilities, each with an accompanying due date for taking action. Roughly a third of those due dates fall within two weeks. "This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf," explained the directive.    "These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates or otherwise maintains agency information," it continued.   WHY IT MATTERS   As reported by the Wall Street Journal, the directive is one of the widest-ranging mandates of its kind.   It applies to all departments and agencies, save for the Department of Defense, the Central Intelligence Agency and the Office of the Director of National Intelligence. The Journal noted, too, that the directive is the first to require patches for both internet-connected and offline systems.   Agencies have until November 17 to address the vulnerabilities discovered by cyber professionals in 2021, and up to six months to fix the remaining 200 or so flagged in previous years.   "These default timelines may be adjusted in the case of grave risk to the Federal Enterprise," the directive read.   Agencies are also required to review and update agency internal vulnerability management procedures, including providing a copy of those procedures to CISA upon request.   The policies must, at a minimum:   Establish a process for ongoing remediation of CISA-identified vulnerabilities. Assign roles and responsibilities for executing directive-required agency actions. Define necessary actions required to enable prompt response to directive-required actions. Establish internal validation and enforcement procedures to ensure adherence with the directive. Set internal tracking and reporting requirements to evaluate adherence with this directive, as well as provide necessary reporting to CISA. In addition, agencies must report on the status of listed vulnerabilities.   The listed flaws originate with a range of companies, including Google, Apple and Android, although Microsoft is the vendor that appears most frequently. CISA said it will regularly update the catalog.   CISA said the directive does not replace BOD 19-02, a 2019 directive that requires remediation of critical and high vulnerabilities on internet-facing federal information systems. "Instead of only focusing on vulnerabilities that carry a specific [common vulnerability scoring system] score, CISA is targeting vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors," said the agency in a fact sheet accompanying the directive.   CISA Director Jen Easterly noted on Twitter that the vulnerability catalog could help members of the private sector as well. "The [binding operational directive] applies to federal civilian agencies; however, ALL organizations should adopt this directive and prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations," she wrote in a post on Wednesday.   "Knowing which vulnerabilities are currently being exploited by cybercriminals allows the private sector to leverage CISA’s expertise to operate on a more level playing field, and should be an important tool in the never-ending fight against cybercriminals," said Robert Cattanach, a partner at the international law firm Dorsey and Whitney, in a statement sent to Healthcare IT News.   THE LARGER TREND   Federal agencies have not been exempt from bad actors' attempts to take advantage of vulnerabilities – and the consequences are often wide-ranging.   One of the most prominent incidents in recent months, of course, was the SolarWinds breach, which led to the victimization of numerous agencies, including the National Institutes of Health and the Centers for Disease Control and Prevention.    The SolarWinds Orion Platform appeared on CISA's catalog of vulnerabilities.   ON THE RECORD   "The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise," read the directive.   "Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types. These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents," it continued. Kat Jercich is senior editor of Healthcare IT News. Twitter: @kjercich Email: kjercich@himss.org Healthcare IT News is a HIMSS Media publication.

Advocacy organizations and business groups, including the U.S. Chamber of Congress, argue that current law effectively prevents employers from offering virtual care to part-time or seasonal workers.

The electronic health record vendor had asked the nation's highest court to review its case against Tata Consultancy Services earlier this year.

The groups say that the premature expiration of pandemic-era policies could leave patients, especially immunocompromised people, in the lurch.

The so-called SUNSET rule would have required the Department of Health and Human Services to review its regulations once a decade.

In a preview of the HIMSS Machine Learning & AI for Healthcare event, Carium general counsel Matt Fisher explains two areas of potential liability concerning artificial intelligence – and explains how healthcare organizations can protect themselves.

The principles identify areas in which international standards organizations and other collaborative groups could advance what the agency calls Good Machine Learning Practice.

Members of a House appropriations subcommittee also sounded the alarm about the cost of the program and cybersecurity issues at the agency.

The organization said that doing so would allow patients to continue accessing care while giving Congress time to enact permanent policies.

The bicameral legislation, introduced by Sen. Elizabeth Warren and Rep. Deborah Ross, would require disclosure about size, currency and more within 48 hours of payments.