Federal health-sector cybersecurity leaders from components across the Department of Health and Human Services (HHS) said that when it comes to implementing zero trust security mandates – such as Office of Management and Budget (OMB) memo M-22-09 – agencies can’t treat the task as just “checking another box.”
“We need to do a better job at how to manage effectiveness over compliance,” Gerald Caron, chief information officer (CIO) at HHS’ Office of the Inspector General, said at AFCEA’s Health IT Summit on Jan. 18.
“I want to be able to be effective at cybersecurity. Just being compliant is not enough,” he said.
OMB M-22-09 – the longest memo released by the agency to date – directs Federal agencies to migrate to common baselines of zero trust security architectures by 2024.
Other senior leaders on the panel agreed with Caron, saying that effective follow-through with the zero trust mandate will take time and continuous effort from security teams.
“Zero trust is a culture change,” Jon McKeeby, the CIO for the National Institutes of Health (NIH) Clinical Center, said. “[It] really can’t just be a checkbox.”
“It takes time to implement it,” he said, adding, “We’re still behind it, and we need to be in front of it.”
McKeeby said his team’s compliance with adopting zero trust security architectures by the end of 2024 is a “work in progress.”
While NIH boasts nearly 20,000 employees, McKeeby said his team at the Clinical Center is small and not well resourced, so they’re still in the early stages of identifying the roadmap to zero trust.
Currently, McKeeby says his team has about 10 percent of its applications in the cloud, while the rest remain on-prem. He plans to bump that cloud figure up to 90 percent in the next five years.
“We’re defining where we are, what tools we have, what are our gaps, and then determining what we need and having the right conversations with the right people,” he said.
“It’s a team sport and the whole organization has to be a part of the [zero trust] culture,” McKeeby emphasized.