On December 18, 2015, President Obama signed a $1.1 trillion Omnibus spending bill. Among many other things in its 2,009 pages, the bill mandates the creation of a Healthcare Industry Cybersecurity Task Force. The Task Force must be established within 90 days of the bill’s enactment, which is March 17, 2016. Given the fact that the healthcare industry is increasingly a target to hackers, the creation of the task force should be welcome news.
Many, including the Washington Post, dub 2015 as “the year of the health-care hack.” While it is believed that there were over 730 data breaches this year, the seven largest hacks exposed personal records and data corresponding to roughly 193 million people. Over one-third of the breaches -- 259 -- occurred in the health care sector. Three of the seven largest breaches pertained to covered healthcare entities with large amounts of Americans’ protected health information. Healthcare data hacks are particularly troublesome given the sensitivity of the stolen data. Health data often involves highly personal and private information, including data pertaining to children and minors. Individuals whose medical information has been stolen can be at increased risk for identity theft and medical fraud, causing them not only financial harm, but potentially physical harm as well.
Section 405(c) of the bill requires the Secretary of Health and Human Services (“HHS”) to convene the Task Force in consultation with the Director of National Institutes of Standards and Technology (“NIST”) and the Secretary of Homeland Security (“DHS”). The Task Force will include healthcare industry stakeholders, cybersecurity experts, and any Federal agencies or entities the Secretary deems appropriate to include. In accordance with the bill’s instructions, the Task Force will operate for one year following its creation.
First, the Task Force’s responsibilities include analyzing challenges facing private entities in the health industry in securing health information from cybersecurity attacks (and studying what players in other industries have done to address cybersecurity risks).
Second, the Task Force will also review challenges facing covered entities in securing networked medical devices.
Third, the Task Force will provide the Secretary of HHS information on ways to improve, prepare, and respond to cybersecurity threats that HHS can disseminate to health industry stakeholders. The bill also requires the Secretary of HHS to disseminate this information within 60 days of the Task Force’s termination.
Fourth, the Task Force must establish a plan for implementing cybersecurity improvements in the health care industry that would allow the Federal Government and health care industry stakeholders to share actionable cyber threat indicators and defensive measures in real time.
Fifth and finally, the Task Force will also report their findings and recommendations to congressional committees. In the Senate, these committees will be the Committee on Health, Education, Labor, and Pensions, the Committee on Homeland Security and Governmental Affairs, and the Select Committee on Intelligence. In the House, the Task Force will report to the Committee on Energy and Commerce, the Committee on Homeland Security, and the Permanent Select Committee on Intelligence.
In addition, and in the same vein, the Omnibus bill also calls for HHS, DHS, and NIST to work together to create a set of voluntary, consensus-based, and industry-led guidelines and best practices for securing health information. These initiatives reflect Congress’s concern that HHS take on a more robust leading role to help healthcare organizations improve critical incident response and share threat information with each other and with the Federal Government. In January 2015, the Senate Committee on Health, Education, Labor and Pensions, led by Tennessee Republican Senator Lamar Alexander, and Ranking Member Patty Murray (D-WA), launched a review of cybersecurity challenges facing the healthcare industry. The Committee held a series of meetings with health care industry leaders and cybersecurity experts to gain a better understanding of the unique challenges facing the health care sector, and to explore policy solutions. In November 2015, the Committee wrote to CMS and the Office of Civil Rights at HHS, which is responsible for enforcing the HIPAA Privacy and Security Rules, asking a series of targeted questions about actions HHS takes to protect patient privacy and increase health data security for patients.
It will be important for industry officials to watch closely as the Task Force undertakes its vital mission, and to identify opportunities early in the process for participation and input into the Task Force’s activities and ultimate recommendations.