Congress OKs National Cybersecurity Framework, But Much Work Remains
The Cybersecurity Act of 2015 in the omnibus federal government spending bill includes nine pages on improving cybersecurity in the healthcare industry. But once several pages of definitions are out of the way, there is not a real plan; it is more of a process for getting to a plan, critics say.
The Cybersecurity Act of 2015 in the omnibus federal government spending bill includes nine pages on improving cybersecurity in the healthcare industry. But once several pages of definitions are out of the way, there is not a real plan; it is more of a process for getting to a plan.
First, the Department of Health and Human Services is required within a year of enactment to submit to multiple congressional committees a report assessing the preparedness of HHS and the industry as a whole to respond to cybersecurity threats. HHS must designate a leader for the department’s cybersecurity initiatives and explain how each relevant operating division and subdivision will address threats.
Within 90 days of enactment, leaders of HHS, Homeland Security and the National Institute of Standards and Technology must convene agencies, stakeholders and experts to create a task force. It will analyze strategies and safeguards implemented in other industries, analyze challenges and barriers that private healthcare entities face protecting themselves from attack, and assess changes that covered entities and business associates face to secure networked medical devices and other software that connects to the electronic health record.
The agencies further will develop information to disseminate to stakeholders to aid in improving their preparedness, establish a plan for sharing cyber threat indicators and defensive measures among government and private entities, and develop a common set of voluntary best practices for cost-effectively reducing cyber risks and improve safeguards.
A $31.5 million appropriation will fund building of a National Cybersecurity Center of Excellence. The legislation also includes the Cybersecurity Information Sharing Act of 2015 to give private sector entities liability protection when sharing or receiving cyber threat data from other entities, defines when personally identifiable information should be removed before data sharing, and notify individuals in a timely manner if their personal information was shared, according to an analysis from the Healthcare Information and Management Systems Society, which supports the legislation.
“HIMSS has consistently called for the need to ensure a single pipeline of actionable, real-time cyber threat data to healthcare leaders and facilitate consistent implementation of a common set of security and risk management standards and best practices across the sector.”
Also See: Feds Seek Fresh Look at Nation’s Cybersecurity Plan
The College of Healthcare Information Management Executives issued a statement supporting passage of the cybersecurity language in the omnibus bill, saying it will enable CIOs and CISOs to share threat indicators through a national infrastructure with necessary liability protections.
The Electronic Frontier Foundation, which advocates for privacy rights in the digital era, in a statement said the legislation is a combination of three “dangerous” proposed bills and ignores the fact that companies and security experts already can share information. “Maybe more importantly, the bills do not address problems from the recent highly publicized computer data breaches that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees or contractors clicking malware links.”
Deborah Peel, M.D., founder of Patient Privacy Rights which advocates patient control of their personal health information, notes that while healthcare employees have extensive access to patient records, most patients still cannot easily download copies of their own records, a right they have in the HITECH Act.
“Nor can they obtain real-time access to an accounting for disclosures to see who has used, sold or disclosed their sensitive personal health information,” she adds. The 2009-page bill is available here. The healthcare cyber plan provisions start on page 1851 and the Cybersecurity Information Sharing Act starts on page 1729.
First, the Department of Health and Human Services is required within a year of enactment to submit to multiple congressional committees a report assessing the preparedness of HHS and the industry as a whole to respond to cybersecurity threats. HHS must designate a leader for the department’s cybersecurity initiatives and explain how each relevant operating division and subdivision will address threats.
Within 90 days of enactment, leaders of HHS, Homeland Security and the National Institute of Standards and Technology must convene agencies, stakeholders and experts to create a task force. It will analyze strategies and safeguards implemented in other industries, analyze challenges and barriers that private healthcare entities face protecting themselves from attack, and assess changes that covered entities and business associates face to secure networked medical devices and other software that connects to the electronic health record.
The agencies further will develop information to disseminate to stakeholders to aid in improving their preparedness, establish a plan for sharing cyber threat indicators and defensive measures among government and private entities, and develop a common set of voluntary best practices for cost-effectively reducing cyber risks and improve safeguards.
A $31.5 million appropriation will fund building of a National Cybersecurity Center of Excellence. The legislation also includes the Cybersecurity Information Sharing Act of 2015 to give private sector entities liability protection when sharing or receiving cyber threat data from other entities, defines when personally identifiable information should be removed before data sharing, and notify individuals in a timely manner if their personal information was shared, according to an analysis from the Healthcare Information and Management Systems Society, which supports the legislation.
“HIMSS has consistently called for the need to ensure a single pipeline of actionable, real-time cyber threat data to healthcare leaders and facilitate consistent implementation of a common set of security and risk management standards and best practices across the sector.”
Also See: Feds Seek Fresh Look at Nation’s Cybersecurity Plan
The College of Healthcare Information Management Executives issued a statement supporting passage of the cybersecurity language in the omnibus bill, saying it will enable CIOs and CISOs to share threat indicators through a national infrastructure with necessary liability protections.
The Electronic Frontier Foundation, which advocates for privacy rights in the digital era, in a statement said the legislation is a combination of three “dangerous” proposed bills and ignores the fact that companies and security experts already can share information. “Maybe more importantly, the bills do not address problems from the recent highly publicized computer data breaches that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees or contractors clicking malware links.”
Deborah Peel, M.D., founder of Patient Privacy Rights which advocates patient control of their personal health information, notes that while healthcare employees have extensive access to patient records, most patients still cannot easily download copies of their own records, a right they have in the HITECH Act.
“Nor can they obtain real-time access to an accounting for disclosures to see who has used, sold or disclosed their sensitive personal health information,” she adds. The 2009-page bill is available here. The healthcare cyber plan provisions start on page 1851 and the Cybersecurity Information Sharing Act starts on page 1729.
More for you
Loading data for hdm_tax_topic #care-team-experience...