The omnibus appropriations legislation that Congress passed last week contained a variety of health-related provisions. These provisions include rescinding funding for the Independent Payment Advisory Board (IPAB), deficit-neutral language related to risk corridor payments and cybersecurity.

Within a title dealing with cybersecurity issues, including within the federal government, section 405 requires the Department of Health and Human Services to provide the Senate HELP Committee and the House Energy and Commerce Committee with a report within one year. That report is to provide a clear statement concerning who is responsible for leading and coordinating efforts at HHS regarding cybersecurity threats in the healthcare industry and provide a plan from each relevant operating division and subdivision. The legislation also creates a healthcare industry cybersecurity task force that shall include healthcare industry stakeholders as well as cybersecurity experts, and any federal agencies or entities the Secretary determines appropriate to:

  1. Analyze how industries other than healthcare have implemented strategies and safeguards for addressing cybersecurity threats;
  2. Analyze challenges and barriers private entities in the healthcare sector face in securing themselves against cyberattacks;
  3. Review challenges that covered entities and business associates face in security networked medical devices and other software or systems that connect to an electronic health record;
  4. Provide the secretary with information to disseminate to healthcare industry stakeholders of all sizes for purposes of improving their preparedness for and response to cybersecurity threats;
  5. Establish a plan for implementing so the federal government and healthcare industry stakeholders may in real time share actionable cyber threat indicators and defensive measures; and
  6. Report findings and recommendations to the appropriate congressional committees.

The task force is terminated one year after the date on which it is established.

In addition, the Secretary shall establish a common set of voluntary consensus-based and industry-led guidelines, best practices and methodologies that:

  1. Serve as a resource for cost-effectively reducing cybersecurity risks for a range of healthcare organizations;
  2. Support voluntary adoption and implementation efforts to improve safeguards to address threats; and
  3. Are consistent with the standards and guidelines developed by the National Institute of Standards and Technology Act, the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the provisions of the Health Information Technology for Economic and Clinical Health Act.