Does The Cybersecurity Act Of 2015 Help Or Hurt?

By Jay Trinckes, Senior Practice Lead, Healthcare & Life Sciences, Coalfire

There was a lot of talk about the Cybersecurity Act of 2015, but does Section 405: Improving Cybersecurity in the Healthcare Industry really do enough?  While the bill is a start to helping the healthcare industry lower cybersecurity risks, the improvements passed may not do enough to protect us from the compromise of sensitive information.

Within 90 days of the bill’s passage, a healthcare industry cybersecurity task force will be established by the Secretary of the Department of Health and Human Services (HHS) in consultation with the Director of the National Institute of Science and Technology (NIST) and the Secretary of the Department of Homeland Security. This task force is supposed to be made up of healthcare industry stakeholders, cybersecurity experts, and any federal agencies or entities the Secretary deems appropriate.

The task force will be assigned the following duties:

• Analyze how various industries, other than the healthcare industry, have implemented strategies and safeguards for addressing cybersecurity threats. [This is nothing new; one can find a lot of information already available such as the safeguards found in the financial services industry (FFIEC/GLBA) and government (FedRAMP/FISMA).]
   
• Analyze the challenges and barriers private entities (excluding state, tribal, or local government entities) in healthcare face when securing data against cyberattacks. [Rather than focusing only on private entities, it should ensure that all entities within the healthcare industry are secured, especially government entities. Two challenges/barriers that the task force can start with are the financial resources allocated to security and the lack of security experts within the healthcare industry.]
   
• Review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record. [Other oversight entities such as the Food and Drug Administration (FDA) present challenges to ensure medical devices are secure with the lack of mandatory guidelines – currently they are voluntary; and there’s minimal ability for healthcare organizations themselves to establish controls over these devices.]
   
• Provide the Secretary with information to disseminate to healthcare-industry stakeholders of all sizes for the purpose of improving preparedness for, and response to, cybersecurity threats affecting the healthcare industry.
   
• Establish a plan for implementing title I of this division, so that the federal government and healthcare-industry stakeholders may share actionable cyber-threat indicators and defensive measures in real time.
   
• Report to the appropriate congressional committees on the findings and recommendations of the task force regarding carrying out the above tasks.

Although we can applaud the intentions of this task force, it’s not clear how Congress will utilize this information and what they’ll do with it once it’s compiled. There’s no indication within the bill as to the final outcome of this work. Unless Congress is going to provide ongoing resources for this effort, it’s basically going to be a ‘snap shot’ in time report, which puts organizations at risk since cybersecurity threats rapidly change and the task force is only in operation for one year.

Additionally, the law establishes aligning of healthcare-industry security approaches by developing a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures and processes. This common-set approach is intended to serve as a cost-effective resource to reduce cybersecurity risks for a wide range of healthcare organizations. One issue that exists in healthcare is that no organization does things exactly the same way. Unfortunately, this sometimes creates too much flexibility within the industry allowing for the misinterpretation of intentions over security requirements.

The common set of security approaches is offered for voluntary adoption and for implementation efforts intended to improve safeguards to address cybersecurity threats. There are several guidelines, best practices, methodologies, procedures, and processes that are already available for the healthcare industry, such as those developed by HITRUST, NIST, ISO and others, and/or those that can be adapted from other industries (i.e. the financial services industry) to serve healthcare organizations’ needs.

The adoption of these approaches still appears to be slow, albeit, interest has increased due to healthcare organizations falling victim to major breaches. Unfortunately, this voluntary approach doesn’t lend itself well to emphasizing the importance of security within the healthcare industry; thus healthcare organizations will most likely ignore the guidance due to an overload of similar requirements. Unless Congress indicated that specific sets of approved security-control frameworks would be required to be used by healthcare organizations, the prediction is that few will actually volunteer. We may see however, the industry ‘policing’ itself when it comes to requiring business associates and service providers working with healthcare covered entities to obtain approved validation such as HITRUST and/or SOC 2 certifications.

Aside from the disappointment in making these approaches voluntary, it’s written within the law that the Secretary of HHS has NO AUTHORITY to provide for audits to ensure that healthcare organizations are in compliance. Without enforcement, there is no compliance. The Secretary can’t even mandate, direct, or condition the award of any federal grant, contract, or purchase pertaining to compliance with this common set of security approaches. On top of this, there are no consequences for non-participation. Perhaps Congress could have provided organizations an incentive through safe-harbor exceptions by voluntarily complying with the security approaches under development.

Let’s face it, the healthcare industry as a whole hasn’t taken security seriously and the lack of any formal enforcement of compliance has led to huge breaches and major concerns over the privacy and security of protected health information. Why can’t the healthcare industry be more like the financial services industry in requiring that independent assessments be performed to validate/verify security compliance activities? Until either the healthcare industry or Congress and the regulators get tougher on healthcare organizations when it comes to protecting and safeguarding our sensitive medical information, the cybersecurity state of the industry will be hard pressed to improve.

Reference: Sec.405 Improving Cybersecurity in the Healthcare Industry (page 1851 of omnibus spending bill) Part of Cybersecurity Act of 2015.