- Several industry stakeholders gathered earlier this month in a House Committee on Homeland Security meeting to discuss the Cybersecurity Act of 2015. Specifics on how healthcare cybersecurity, and other industry measures would potentially be affected were discussed.
The Cybersecurity Act was signed into law in December 2015, and was designed to help industry professionals connect via a network so that they can better exchange information when it comes to potential cybersecurity threats.
“The bill recognized the role of DHS’ National Cybersecurity & Communications Integration Center, or NCCIC, as the civilian portal for the sharing of cyber threat indicators,” Subcommittee Chairman John Ratcliffe said in his opening statement. “The key aim was to see cyber threat indicators — which contain critical information about the nature, methodology, source, and scope of cyber-attacks — shared with other parties so they can, in turn, fortify their own networks against future intrusion.”
Ratcliffe added that incidents such as the Anthem data breach show how the nation’s most sensitive information is at risk with the evolving types of cybersecurity threats. Congress must continuously use “rigorous oversight” to ensure that DHS is doing its due diligence in keeping information secure.
“This new law strengthens DHS’s ability to more effectively secure government networks and incentivizes the sharing of cyber threat indicators among critical sectors and with the government to bolster protections from future attacks,” Ratcliffe explained.
Matthew J. Eggers, Executive Director of Cybersecurity Policy for National Security and Emergency Preparedness, U.S. Chamber of Commerce, was a witness at the meeting, and agreed that the Cybersecurity Act was an important step forward.
“The Chamber is a strong supporter of CISA and its potential to clear away real or perceived hurdles to information sharing,” Eggers said in his statement. “CISA is not a silver-bullet solution to our nation’s cybersecurity challenges. However, Chamber members say that increasing the speed and quality of bilateral information flows of CTIs and DMs is essential for developing a holistic approach to cyber defense.”
In terms of healthcare cybersecurity, the CISA legislation also included a section devoted to healthcare. The provision explains that HHS would appoint an official who would lead the agency’s cybersecurity efforts and coordinate necessary response following an attack.
HHS would also issue a latest cyber threats report, keeping the public informed on how they may be affected by the attacks.
“The Secretary of HHS shall establish through a collaborative process with DHS and NIST, and any other Federal entities and non-Federal entities a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures and processes,” according to a CHIME statement on the provision.
In the wake of large scale healthcare cybersecurity attacks, including several cases of ransomware, there has been more pressure for Congress to enact laws to keep healthcare data secure.
For example, in April 2016, bipartisan legislation was introduced to improve healthcare cybersecurity, specifically the measures within the Department of Health and Human Services (HHS).
The HHS Data Protection Act is “a critical step toward safeguarding the delicate information countless Americans have entrusted in HHS’s hands,” according to House Energy and Commerce Committee members Rep. Billy Long and Rep. Doris Matsui.
“We’ve developed a thoughtful solution to improve cybersecurity at HHS, based on committee findings,” Long and Matsui explained. “We must do all we can to ensure greater security of the government’s health networks and Americans’ sensitive data.”
Furthermore, a House Energy and Commerce Subcommittee hearing in May 2016 reviewed the benefits of the HHS Data Protection Act, as well as the future HHS role in healthcare cybersecurity.
A key legislation proposal hopes to establish the office of the Chief Information Security Officer (CISO) at HHS. The CISO would also be a peer to the Chief Information Officer (CIO), rather than reporting to the CIO.
“The Chief Information Security Officer, in consultation with the Chief Information Officer and the General Counsel of the Department of Health and Human Services, shall have primary responsibility for the information security (including cybersecurity) programs of the Department,” the bill states.
Information sharing, as well as cybersecurity threat sharing, will be key aspects to the future of healthcare. However, healthcare cybersecurity issues cannot be overlooked, and organizations need to be fully aware of the potential threats and how they can work toward keeping data protected.