Why the new HHS cybersecurity initiative may be too little, too late
After years of increasingly dangerous data security and privacy breaches across the American healthcare environment, HHS has decided to take preventative action.
On July 25, HHS announced it will fund a new resource that will share “the most up-to-date cyber threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information.”
This is a step forward in strengthening healthcare’s war against cyber criminals, since thus far health-related organizations have been on their own in dealing with them. But the fine print behind the HHS initiative predicts a painfully long and arguably underfunded project that will take years until we see much benefit. Here’s why.
HHS announced that it is offering coordinated grant opportunities through ONC and the office of the Assistant Secretary for Preparedness and Response (ASPR), to provide a “concerted, centralized effort needed to protect the country’s healthcare environment and data.” The dual grants will be awarded to existing Information Sharing and Analysis Centers (ISACs) that are already providing outreach and technical assistance to participating organizations on cybersecurity threats specific to the healthcare and public health sectors. The grants will support expansion of the ISACs’ outreach and education capabilities to meet the following goals:
- Provide more and better information and education on cyber threats to health data.
- Increase education outreach on cyber threats.
- Help equip affected organizations with tools to take action on threats.
- Facilitate information sharing across the healthcare and public health sector and federal cybersecurity partners.
Karen DeSalvo, chief of ONC, said “Establishing robust threat information sharing infrastructure and capability within the healthcare and public health sector is crucial to the privacy and security of health information, which is foundational to the digital health system.”
The two grants will award the winners a combined $250,000 for the first year of what is described as a five-year initiative with a total of approximately $1.25 million to be provided “subject to the availability of funds and satisfactory performance of the recipient.” Entries by qualified non-profit organizations must be submitted by late August.
Here’s HHS’ timetable for what they hope the organizations will accomplish by when:
Year 1 (2017): The awardee is to deliver a gap analysis of information sharing within the hospital/public health sector (HPH), develop a concept of operations for sharing between HPH and the federal government and start developing plans based on this concept.
Year 2 (2018): Based on the approved concept, the selected ISAC will coordinate with HHS and the HPH sector to expand its communications reach to be able to share threat information beyond its current membership base to the entire HPH sector. This effort is expected to include expanding the ISAC’s IT and communications infrastructure. The ISAC will also develop a business plan using a tiered membership fee structure for members to receive full outreach benefits. Options for basic information will be created for non-paying members. The ISAC also will work on coordinating communications structures with other organizations, including federal cybersecurity partners.
Year 3 (2019): The ISAC will continue to “develop, implement, evaluate and refine operational information sharing plans.”
Years 3–5 (2019-2021): By this time, the ISAC is expected to begin serving as the main point of contact to support, promote and enhance information sharing, including being the conduit for private sector entities to share cybersecurity information with federal investigative operations. It also will become the lead organization coordinating analysis and response activities for HPH sector cyber incidents, including developing comprehensive analytical products and creating a more complete picture of cyber threats.
Creating and deploying a nationwide health cybersecurity protection program will not be a simple endeavor. Nevertheless, the outlined project suggests that few, if any, benefits will be realized by the healthcare community for as long as three years, as the grant awardee works with HHS through a painstaking process of gap analysis, concept building, plan design and infrastructure expansion.
Further, the funds HHS is allocating seem paltry in comparison to the project’s ambitious size and complexity. It is also worth noting that the objective to eventually share program costs with the private sector through a tiered membership fee structure will prevent many organizations that need the most help from getting it.
In the meantime—right now—many hospitals, practices and other healthcare providers don’t have the resources or information they need to protect themselves from cyber attacks. Healthcare records for one in three Americans were breached in 2015, a dramatic increase over 2014. Over 80 percent of healthcare executive respondents to a recent Modern Healthcare survey said they expect more cybersecurity attacks in 2016. So far this year, their fears have been justified.
Assistant Secretary for Preparedness and Response Nicole Lurie said during the HHS announcement that with this new bi-directional initiative shared by the federal government and the healthcare/public health sector, HHS hopes “to build the capacity to better prevent, detect and respond to cyberattacks.”
No one can disagree with that sentiment. But the overall project carries a major downside—no near term benefits. This initiative will proceed over a long, dangerous five-year period of innumerable cyber threats. What about solutions for today and tomorrow?