As a result of ongoing concerns over cybersecurity risks to the healthcare sector, the Senate included a targeted section specifically on healthcare in the recently passed bill, S. 754, the Cybersecurity Information Sharing Act (CISA). In the last year alone, major healthcare entities, including healthcare insurers, have been hit by massive cybersecurity attacks, impacting tens of millions of consumers as a result.
The Congress has been debating various cybersecurity bills over the course of the last year. The Senate bill, which was just passed on October 27, 2015, includes a carve-out specifically for the healthcare sector. The bill also includes two requirements for the U.S. Department of Homeland Security (DHS): first, to create a program to mitigate cybersecurity attacks against Critical Infrastructure and, second, to require DHS to assess whether all critical infrastructure should be required to report a cybersecurity attack to both DHS and its respective Sector Specific Agency.
Section 405 of the bill, entitled "Improving Cybersecurity in the Health Care Sector," requires the Secretary of the U.S. Department of Health and Human Services (HHS), within one year of enactment of the bill, to submit a report to key Congressional committees of jurisdiction on the level of preparedness by the sector to respond to cybersecurity attacks. The section seeks to try and tailor a specific cybersecurity program to the health sector by requiring HHS and DHS to convene stakeholders and to create a Health Care Industry Cybersecurity Task Force, which must analyze the "challenges and barriers" in the industry that stand in the way of protecting themselves against cyber-attacks and managing the security of networked medical devices and systems that connect to electronic health records (EHRs), to name a few.
Section 405 delineates the key stakeholders in this process to include health plans, health care providers, patient advocates, pharmacists, developers of health information technology, labs, pharmaceutical manufacturers, medical device manufacturers and other stakeholders as the HHS Secretary designates.
The section also requires the creation of a specific Health Care Cybersecurity Framework tailored to the needs of the sector as well. The Administration, led by the National Institute of Standards and Technology (NIST), working with the private sector, created a Cybersecurity Framework in 2014. This would presumably build on that effort.
For the last several years, HHS and the Food and Drug Administration (FDA) have been working with the private sector to ensure it understands the cybersecurity risks and to explain the differences between the new cybersecurity paradigm and the sector’s longstanding regulations for privacy. The Federal Trade Commission has also been involved in both the security and privacy aspects of consumer-facing health and wellness apps. The healthcare sector will need to fully engage in managing these cybersecurity issues as well as balance existing legal and regulatory requirements for consumer and patient privacy issues. At least two groups have come out in support of section 405—the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Health Information Security (AEHIS)—which jointly issued a press release endorsing the language.
The House and Senate now need to move to a Conference Committee to merge the various cybersecurity bills, a process that is expected to take several months.