What new cybersecurity penalties are being introduced for telecommunications and healthcare?

Regulators are imposing stricter financial and compliance penalties on telecom and healthcare organizations that fail to meet cybersecurity standards. These measures are designed to incentivize organizations to address known vulnerabilities in critical infrastructure. The specific rules vary by agency but reflect a broader trend toward enforcement-driven security accountability.

Why are telecommunications and healthcare particularly vulnerable to cybersecurity threats?

Both sectors rely heavily on legacy systems that were not designed with modern security in mind, making them difficult and costly to update. They also handle sensitive personal and financial data, making them attractive targets for threat actors. Regulatory fragmentation and resource limitations further complicate efforts to maintain robust defenses.

Can penalties alone effectively improve cybersecurity in critical infrastructure?

Security experts are skeptical that penalties alone can close widening security gaps, arguing that fines may not outweigh the cost of comprehensive remediation. Effective cybersecurity improvement typically requires a combination of regulatory pressure, investment in modern infrastructure, and a culture of proactive risk management. Penalties may serve as a catalyst, but sustained progress depends on broader organizational and systemic change.

‹ Back to Industries

Healthcare

New Penalties is a Push to Mitigate Cybersecurity Threats in Telecommunications and Healthcare

Regulators are cracking down on cyber vulnerabilities in critical infrastructure, but security experts question whether penalties alone can close widening gaps

This story was produced through MarketScale. See how Healthcare teams put it to work with Executive Thought Leadership.

By Mike Isbitski · April 26, 2024, 7:46 PM UTCCybersecurityExperts TalksHealthcareMichael Isbitski

Key takeaways

New regulatory penalties are being introduced to address cybersecurity gaps in telecom and healthcare sectors.

Security experts question whether penalties alone are an effective deterrent given the scale and sophistication of modern cyber threats.

Critical infrastructure sectors face unique challenges in closing security gaps due to legacy systems, regulatory complexity, and resource constraints.

Cybersecurity has emerged as a critical issue in telecommunications and healthcare—two industries intertwined as essential services. With both sectors recognized as critical infrastructure, the consequences of cyber attacks can be far-reaching, impacting everything from individual privacy to national security. While recent regulatory changes are aiming to tighten security protocols, it also raises questions about the adequacy and effectiveness of current security practices.

How do the challenges and strategies in cybersecurity compare between telecommunications and healthcare? What impact do new regulations have on these critical industries?

Discussing the subject for an "Experts Talk" roundtable on cybersecurity in healthcare, Michael Isbitski, Director of Cybersecurity Strategy at Sysdig, provided some valuable insight into these pressing issues. Having nearly two decades of experience in telecommunications, Isbitski connected the parallels and divergences in cybersecurity challenges facing the two sectors. He further gave a comprehensive understanding of recent regulations and offered a clear picture of how the cybersecurity landscape is evolving.

Several takeaways from Isbitski's discussion include:

The ways cyber attackers quickly evolve, posing continuous threats to critical infrastructure sectors such as telecommunications and healthcare.
Why the interconnected nature of modern industries means that compromising one can lead to cascading failures across others, highlighting the need for robust security in telecommunications as a backbone.
Recent cybersecurity regulations across various countries and sectors are aligning more closely with long-standing security practices, emphasizing better access control and intrusion monitoring.
The critical nature of cybersecurity and how it often competes with financial constraints within organizations, leading to potential vulnerabilities unless regulatory penalties enforce stricter compliance.
How so many organizations struggle with insufficient staffing and budget for cybersecurity, which can hinder their ability to effectively manage and mitigate risks.

Isbitski's perspective shed some light on the importance of adopting and adapting to these new regulations to enhance the security and resilience of both telecommunications and healthcare industries.

Video TranscriptExpand ↓

Yeah. And our attackers pivot very quickly too. You know, I'd say from my perspective and I worked for telco for close to twenty years, which is now critical infrastructure provider. Right? And then they become the interconnect to all other verticals like health care or utilities. Right? So if you can attack the communications, then you can now bring down anything. So then you start rabbit holing into that whole topic of resiliency. But, you know, my career at that telco, very difficult. Right? A lot of the things that Davey's hitting on. Right? You're you're always fighting for that budget. You're fighting for the headcount. You you know the things that you have to do for your security program, but, you just don't have the teeth. So one of the things that I like that has been a more recent trend is kind of the wave of cybersecurity regulations that are hitting, things like EU's, NIST two directive, the US national cybersecurity strategy, SEC cybersecurity disclosure rules. And there you know, there's a lot of regs. Right? And I could probably spend the next ten minutes just listing all of them. Right? Every nation state's gonna have their own and then verticals are gonna have their own, implementations of them. But they're saying a lot of the things that security practitioners have been saying for decades at this point. Right? Like, we have to be better at access control. We have to, monitor for intrusions. Like, what does our threat detection and response capability look like? Can we detect things timely, and then is that disclosed? How do we coordinate vulnerability response? So the regulations are finally starting to catch up with that. But then in tandem with that is also penalties. Right? And that that's the reality. Right? We are talking about businesses, and we're kind of in weird macroeconomic times. Although, hopefully, coming out of that, Right? But globally, things were very suppressed. So most organizations were scaling back all all of their spend. Right, whether it was IT or security. And and, usually, security is first to go. Right? Like, well, let's be honest. They're not revenue generating. The risk is just accepted by organizations. So now regulation kind of has more of that teeth. So if you're making sacrifices on your risk management approach, whichever aspect that might be, maybe it's access control, maybe it's threat detection, there's multiple pieces. Right? Patching, how are you managing supplier risk? All these are components of that. If you're making sacrifices there, it has to be disclosed, to the regulatory body or maybe the public. And then if you have a failure, like in the case of an incident or breach, there might be financial repercussions to that. Right? Your leadership might be at fault. Potentially, you can't practice. Right? Maybe there's criminal criminal penalties on the table. So that looks much different than it did twenty years ago. So as a practitioner and a a leader, right, I was managing or leading the application security efforts a component of it at, Verizon, and that was a large team. Right? Many organizations don't even have adequate staff. Right? Their security are are juggling all of the security roles. But I never had enough, people, and I never had enough money. And I was constantly fighting those battles, and it's exhausting. So, yeah, as a practitioner and leader and advisor, it's like, this is great. Right? This is music in my ears. We need to ride that wave because that's gonna improve all industries, certainly certainly health care. But, yeah, the tech hasn't really changed. We're talking about a lot of the same problems that just kind of got swept under the rug, unfortunately.

About the author

Mike Isbitski

Turn this into your own content

Create a free MarketScale workspace and publish your own experts. No credit card, no demo required.

Book a demo Start free

MarketScale platform

Want to launch your own podcast or show?

MarketScale gives B2B companies a full content studio: record, produce, and distribute your own channel. No agency, no crew, no guessing.

See how it works →

Keep exploring