Introduction
Key Takeaways
New regulations follow on the heels of massive SolarWinds breach that affected federal agencies
Cyber-attacks are on the rise across most industries and organizations entrusted to protect and secure sensitive data face increasing odds against attackers.
It’s a problem compounded by expanding attack surfaces where even small and mid-sized businesses (SMBs) are adopting new technologies and assets at unprecedented rates, making it ever-more challenging for cybersecurity, risk management, and data privacy teams to secure perimeters and meet all legal, regulatory, and compliance obligations.
In 2020, cyber-attacks exposed more than 37 billion records, more than 140% increase from 2019.
For organizations that work with U.S. government agencies, there are even more potential compliance mandates on the horizon—if a planned executive order from the current presidential administration comes to fruition.
Last month, chatter picked up about this potential order that could require all software vendors that work with the federal government to report to their government partner agency if the vendor falls victim to a cybersecurity breach.
In early April, the executive order was not yet finalized, but many analysts indicated the likelihood was looming, which, after the 2020 SolarWinds hack isn’t a surprise to those closely watching the evolution of cybersecurity practices and mandates for dealing with sensitive government information.
The SolarWinds Attack
In early December 2020, FireEye, a cybersecurity firm, experienced a nation-state attack. Less than a week later while investigating this attack, the company discovered a supply chain attack where attackers had used backdoor methods to gain entry into SolarWinds software, which allowed it to rapidly distribute malware across the supply chain.
SolarWinds designs software solutions to help enterprises manage information technology, systems, and networks. It appears attackers gained access into SolarWind’s Orion system sometime in early 2020, which put data of its more than 30,000 customers at risk of exposure, including companies such as Microsoft and Intel, and government agencies such as the Department of Energy, Department of Homeland Security, State Department, the Treasury, and the National Nuclear Security Administration.
When SolarWinds sent out routine updates to its software in 2020, it's believed those updates contained hacked code that gave attackers a backdoor into those customers’ technology systems. Once in, they were able to install additional malware to spy on those customers.
While the full impact of the breach is still being tallied, SolarWinds indicated in early 2021 that as many 18,000 customers had installed updates that could make them vulnerable to an attack, which went undetected for several months.
The investigation continues, but early reports point to Russian intelligence as the culprit, which the nation has denied. Nevertheless, the impact is far-reaching, for example, compromise of federal email accounts and networks.
Exactly how long it will take to determine everyone who has been affected, to what extent, and what will need to happen to resolve breach effects is still unknown. Some experts estimate it could be years before we know the full impact.
Drawing on HIPAA Breach Reporting
As organizations wait for a formal draft of the newest executive order to become public, many feel the government’s push forward with mandated cyber breach reporting and related security measures are long overdue. In fact, some organizations already meet similar requirements as part of the Health Insurance Portability and Accountability Act (HIPAA). Will this executive order draw on existing measures already in place related to cybersecurity and privacy mandates outlined by HIPAA’s Breach Notification Rule? We don’t yet know.
As part of HIPAA, all healthcare-covered entities and their related business associates are required to meet certain privacy and security guidelines to ensure personal health information (PHI) and personally identifiable information (PII) are protected. When a covered entity or a business associate experiences a breach that affects 500 or more individuals, the HIPAA Breach Notification Rule requires reporting that breach to the Department of Health and Human Service’s Office for Civil Rights (OCR).
The HIPAA Breach Notification Rule defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
While some exceptions negate the disclosure requirement, in most cases, following a breach or impermissible use or disclosure of protected data, covered entities and business associates must make notification of the breach to those who are affected and to the Secretary of Health and Human Services (via a breach reporting form on the HHS website). In some cases, a notification must also be made to the media.
Following a breach report, OCR launches an investigation, which, depending on the scope and severity, can last months or longer. Those reports are publicly available at https://www.hhs.gov/ocr/index.html. So far in 2021, OCR is investigating more than 130 reports, following on the heels of a record number of investigations in 2020.
Many cases OCR investigates result in the agency providing technical assistance to the entity or business associate to help them understand what they need to do to mitigate PHI exposure risks. However, there is an increasing number of finalized investigations now ending in significant penalties and fines.
In March 2021, for example, OCR announced it had settled its 18th enforcement action related to the HIPAA Right of Access Initiative. The most recent one resulted in fines of $30,000, which is overshadowed by much larger recent penalties, for example, the $5.1 million settlement announced in January following an investigation into a health insurer related to a breach that affected more than 9 million people.
Previous Breach Reporting Attempts
This is not the first time the federal government has taken steps to shore up national cybersecurity measures.
In 2017, Senate Bill 2179 called for a national Data Security and Breach Notification Act that would create a federal standard for breach reporting.
The bill would have required companies to notify consumers of data breaches within 30 days of discovery and included penalties for intentionally withholding this information, including up to five years in prison. The bill died in Congress and did not become law. There was pushback against the initiative, with many noting most states already have similar laws, which they said negated the need for a federal mandate.
Today, all 50 states now require both private companies and government agencies to notify individuals affected by breaches of Personally Identifiable Information (PII). Many are also taking steps to further strengthen existing measures including moving toward practices similar to those enacted in the European Union (EU) with its General Data Protection Regulation (GDPR), which guides data protection and privacy for collecting and processing PII for EU residents.
Executive Order
Exactly what will be included in the executive order related to software vendor security and breach reporting requirements is still uncertain, but officials with the Department of Homeland Security have indicated there could be about a dozen requirements focused on cybersecurity.
These mandates will likely replace the common use of non-disclosure agreements between many tech companies and their agency partners, which would give federal officials more insight into breaches and other security incidents such as potential vulnerabilities. The mandate will also likely include provisions guiding vendors to work directly with the Department of Homeland Security, the FBI, or other agencies when a breach occurs.
We would not be surprised to see these requirements included in future Requests for Proposals (RFPs) and Requests for Information (RFIs).
Among the requirements, we anticipate:
- Sensitive data encryption
- Digital record preservation
- Multi-factor authentication
- Definition of a breach event
- How to report a breach
- To which agency/oversight board to report a breach
Like HIPAA, we would not be surprised to see these requirements draw on existing cybersecurity frameworks such as NIST, ISO, SOC, or NERC-CIP.
Preparing for the Order
While many industry analysts expect the executive order to become reality soon, it's unknown what timelines and enforcement periods will come to light when it’s public. While we’re waiting on the final word, you can take some steps to prepare for upcoming changes.
A great place to start is to take a look at your existing cybersecurity controls so you have a better understanding of what your organization is already doing and what you may need to do to close security gaps.
If your team is tracking this information through word processing documents or spreadsheets, you may find it challenging to wrap your arms around everything going on within your organization. Instead, you may find it more helpful to implement, track, and manage your controls in a technology solution such as Apptega that can help you see all this information quickly in an easy-to-understand dashboard.
If you have existing cybersecurity frameworks in place, you can also track and manage those in the software. As you prepare to implement additional frameworks or add new controls to your cybersecurity program, you can easily crosswalk them in Apptega to eliminate redundancy and unnecessary overhead. Then, when the executive order comes into play, you’ll know right away where you stand and what you need to do to meet the new requirements.
Need help getting started? Contact an Apptega advisor today. We'll be happy to share a demo, show you how the platform works, and answer questions to help you be ready before the executive order's final deadlines are effective.