U.S. Senate passage this week of the Cybersecurity Information Sharing Act of 2015 (CISA) to facilitate timely sharing of cyber threat indicators between and among the private sector and federal government organizations has both supporters and detractors.

The Health Information Trust Alliance, an industry security consortium, issued a statement that it continues to fully support CISA which “formalizes the process for information sharing, encouraging private entities to share amongst themselves and with the government.”

According to HITRUST, the legislation “provides legal certainty that companies sharing information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time, as well as when taking actions to mitigate cyber attacks.” And, by “singling out” the healthcare industry— which this year alone has suffered data breaches impacting more than 100 million Americans—the organization believes the bill “sends a clear message that law makers are concerned with the pace of this progress.”

The Healthcare Information Management and Systems Society supports the Senate bill, arguing that the healthcare industry will “further benefit from the establishment of a common set of security and risk management best practices that can be implemented consistently across the sector and mapped to a single, voluntary, national health-specific cybersecurity framework.”

Likewise, the College of Healthcare Information Management Executives and the Association for Executives in Health Information Security jointly applauded the 74-21 vote by the Senate to pass CISA.

“CHIME and AEHIS are especially encouraged that the Senate-approved bill includes language that would establish a cybersecurity framework specifically focused on healthcare and instructs the Department of Health and Human Services to identify a specific leader on cyber preparedness,” the organizations said in a written statement.

Also See: Major Cybersecurity Bill Clears Senate

Authored by Senate Health Committee Chairman Sen. Lamar Alexander (R-Tenn.) and Ranking Member Sen. Patty Murray (D-Wash.), Section 405 of CISA includes the following provisions:

  • Charges the Department of Health and Human Services with naming an official responsible for leading the agency’s cybersecurity efforts to coordinate response and so that health organizations will know who is in  charge of offering guidance and support;
  • Requests that the agency issue a report on emerging cyber threats in the healthcare industry, so both the agency and the American public have an accurate picture of the impact of these attacks;
  • Creates a task force of health industry leaders and cybersecurity experts to identify the biggest challenges in securing against cyber threats and recommend specific solutions to the agency;
  • Charges the task force to create a central resource to distribute cyber intelligence from the federal government to healthcare organizations in near real time, so they can rapidly respond to active threats and;
  • Instructs HHS to create a series of best practices for health industry leaders to follow—on a voluntary basis—to help them keep their organization’s data as secure as possible.

For its part, the U.S. House of Representatives in earlier legislative actions passed two cybersecurity bills. As a result, House and Senate conference committee members will now try to reconcile the different versions of the legislation, which will also require President Obama’s signature to become law.
“Once enacted by the president, CISA will represent a significant advancement in cybersecurity and better enable the nation’s chief information officers and chief Information security officers to better protect patient health information,” according to CHIME and AEHIS.

Privacy and civil liberty organizations, however, are not so pleased with the Senate action. The Electronic Frontier Foundation, for instance, called the legislation “fundamentally flawed” given its “broad immunity clauses, vague definitions, and aggressive spying authorities as well as inability to address problems that caused recent highly publicized computer data breaches.”

EFF and other privacy groups vowed to continue to fight against the bill by urging the conference committee to incorporate pro-privacy language in their final version of the legislation.

But, HITRUST opposes any changes to the bill that would weaken liability protection for information sharing. Similarly, as CISA moves to a legislative conference committee, HIMSS said it “strongly urges the House and Senate to retain these essential provisions so critical to supporting healthcare organizations in more effectively protecting patients and their health information from growing cyber threats.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access