In the digital age, cybersecurity has been pushed to the forefront of organizations’ priorities. Today, cybersecurity is a paramount issue for the United States’ critical infrastructure as growing cyber attacks continue to threaten some of the most important foundational systems in our country.
Healthcare organizations, for instance, are tasked with protecting vast troves of sensitive data, including personal medical information for American citizens, while also complying with privacy policies, HIPAA requirements and other information security regulations.
La Monte Yarborough, chief information security officer for the U.S. Department of Health and Human Services, said there’s also an important data aspect of the cybersecurity conversation inside his agency.
“Indeed, there are privacy elements associated with sensitive data, but there’s also a data governance strategy with respect to accessing that data,” Yarborough said during a panel discussion led by HP Federal Chief Technology Officer Dr. Tommy Gardner at the Potomac Officers Club’s virtual Enhancing Cybersecurity for Critical Civilian Infrastructure Forum.
“And of course, within the cyber space, there’s a ‘least privilege’ notion as well. True that there may be medical professionals who need the ability to acquire certain information at specific points in time, but there needs to be a construct from a data governance perspective to discern who among those medical professionals should have that access,” he elaborated.
But there’s not one singular answer to the data protection quandary in an organization as large and data-heavy as HHS, and Yarborough suggested that each situation’s context should be taken into account in order to build the most effective data strategies.
“Trying to contain that beast, if you will, is not a one size fits all strategy, because a lot of it is contextual depending on where you reside, what type of data you’re working with, and the measures that you undertake to protect it,” Yarborough explained.
Yarborough highlighted HHS’ Health Sector Cybersecurity Coordination Center, or HC3, as one of the agency’s key efforts to support the defense of the healthcare sector’s information technology infrastructure through providing federal employees with ways to better protect themselves against threats.
“A lot of folks within our sector entered that sector, not to be it cyber folks or IT folks. They entered that community to help care for people and take care of people. So we, through HC3, try to provide some objective information to the sector about cyber threat issues and how those issues might impact the sector, along with some actionable information that they can rely upon to help and mitigation and prevention efforts,” Yarborough said.
The financial sector is another high risk industry for cyber attacks, and George Salmoiraghi, acting director of Sector Cyber Intelligence, Risk Analysis and Resilience at the Department of the Treasury, said his agency is focusing largely on resilience to a wide variety of risk factors.
“We take an all hazards approach,” Salmoiraghi explained. “We are vulnerable to activities from hackers to hurricanes, and if things go down, it can have a multitude of reasons. So we try to build in protections that will allow us to kind of get ahead of issues, be able to practice what exercises might look like and be able to respond and recover.”
Salmoiraghi noted that the Department of the Treasury is an essential component in the protection of the country’s infrastructure because of its ability to liaise with other federal agencies, private sector partners and regulatory colleagues both domestically and internationally.
“We serve as the interface with the rest of the United States government. So financial services is one piece of the broader critical infrastructure puzzle, which means that we have the opportunity to work closely with colleagues at CISA, colleagues at HHS, colleagues at [the Department of State], and we do so on a regular basis as part of either daily activity or as part of interagency or broad policy formulation or activities where there are cross-cutting issues,” he shared.
The Cybersecurity and Infrastructure Security Agency plays a similar role for government agencies in the cybersecurity space as it works to level the playing field and enable each agency to achieve the appropriate degree of protection.
CISA’s Continuous Diagnostics and Mitigation program was established 10 years ago to help agencies reach a level of common parity and maturity in their cybersecurity capabilities, but CDM Program Manager Matt House said the program is expecting to undergo notable shifts in the near future.
“We’re going through some changes in terms of how we pivot for what would likely be the next decade here,” House shared.
“We have often over the last 10 years operated in a role where we are the broker for the HHS, the treasuries, and even the small micro agencies… to ensure that everybody has access to critical cybersecurity capabilities, that they’re implemented in a way that that gives everyone parity and gives everybody a venue through the CDM dashboards to look at things from the same perspective,” he reflected.
Going forward, House said CISA’s CDM program aims to break down barriers between agencies to make it easier for the agency to share information and lessons learned more easily across the government.
House explained that as CISA works with another agency on an acute problem, it should then be able to disseminate information to the other agencies so that they don’t have to discover the same problem independently.
Are you interested in learning more about cyber and how it impacts the broader federal government? Join the Potomac Officers Club’s 2023 Cyber Summit on June 8 to hear insights from cyber experts across government and industry. Register here.