A soon-to-be-convened HHS task force and its forthcoming report on cybersecurity mark a step toward strengthening privacy and security in health care, but it might have been the wrong one to take, some experts say.
“The industry already knows what needs to be done,” said David Harlow, a health care attorney, consultant and author of HealthBlawg, citing data encryption and training to avoid human-error breaches as a few best practices. “We don’t have to wait for a report in order for those things to happen.”
Cybersecurity Measure Included Federal Spending Deal
Last month, Obama signed into law a two-part spending agreement that consists of:
- A $1.1 trillion omnibus budget measure to fund federal agencies through fiscal year 2016; and
- A $650 billion tax package that renews for the next 10 years various tax breaks that had ended or were about to expire.
The omnibus measure includes a cybersecurity bill (S 754) that encourages businesses to share information on hackers with the federal government. In addition, the measure requires HHS to create a cybersecurity task force within 90 days of the law’s enactment. The task force will be responsible for:
- Analyzing challenges private health care entities face in preventing cyberattacks;
- Examining how other industries handle cybersecurity threats;
- Giving the HHS secretary information on how to prepare for digital threats and handle information that will be shared with industry stakeholders; and
- Reviewing challenges covered entities and business associates face in securing medical devices connected to networks and software that connects to electronic health record systems.
In addition, the task force will be charged with creating a report that HHS will deliver to Congress within one year of the law’s enactment. The report will detail:
- The person in charge of cybersecurity prevention in the health care industry; and
- Plans to combat cybersecurity threats for each relevant division or subdivision within HHS.
Why Wait?
One issue raised about the HHS provision is its timeline.
Waiting up to a year for recommendations on how to counteract cybersecurity threats might be too late, Harlow said.
“By the time the recommendations are surfaced and delivered to Congress and sent back to an agency, the nature of cybersecurity threats will have evolved,” Harlow said. “It’s a very fast moving area. So trying to deal with it in this way is almost, by definition, doomed to fail.”
To address this concern, the task force could release preliminary findings for the industry to consider.
“If the task force is cognizant of the rapid pace of changing [cyber]attacks and threats, there could be some preliminary recommendations that the industry could start on before that 12 months is up,” Ann Patterson, senior vice president and program director at the Medical Identity Fraud Alliance, said.
Meanwhile, the cybersecurity law includes other provisions — not specific to HHS or health care — that could benefit the sector sooner. Namely, the real-time cybersecurity threat alert system.
Under the provision, companies are encouraged to report cybersecurity information to federal agencies.
“There are people now that are looking at how to create and how to implement that real-time cyber threat environment,” Patterson said. “I’m hopeful that with some federal oversight, the [health care industry can work] together in terms of how it can best utilize real-time threat monitoring.”
But even this provision has raised some concerns.
“There’s the danger of materials — in this case personally identifiable information that either itself is health information or could be used to retrieve health information — that have not been sufficiently de-identified being passed up the chain of command,” Harlow said.
What’s To Come of the HHS Report?
Another concern is about what will happen after HHS’ recommendations are delivered to Congress.
The law spells out the topics to be included in the report, but “it’s unclear what really happens as a result of that report,” Harlow said.
That’s because privacy and security regulators already know what they “need to do in terms of impressing upon the industry the need to do what the industry already knows it needs to do,” Harlow said, emphasizing the potential for redundancy.
He added, “It should not be a surprise to anyone if this report comes out at the end of a year, and it says health care organizations should focus on” encrypting information with sophisticated technologies and avoiding human errors that lead to breaches — all things that “already exist.”
Meanwhile, David Holtzman — vice president of compliance at CynergisTek, a cybersecurity firm — questioned when, if at all, the task force’s recommendations and best practices would be implemented.
“There’s no reason to believe something good won’t come out of [the law], but history has shown these endeavors to be a lot of smoke and not a lot flame.”
What the Industry Needs Now
If the industry already knows what needs to be done, why would lawmakers call for a report on the topic?
“It might represent, in a way, a statement from Congress that it is dissatisfied with what agencies have done to date” regarding health care cybersecurity, Harlow said.
Stakeholders told iHealthBeat that Congress, rather than commissioning a report, should encourage the agencies responsible for cybersecurity enforcement, such as HHS’ Office for Civil Rights, to:
- Develop informational materials that can be disseminated immediately;
- Offer some form of incentives to implement cybersecurity standards;
- Provide technical assistance to those who need it; and
- Promote continuing education and cybersecurity retraining for all applicable stakeholders in the health care industry.
Harlow said, “I think the framework for providing those resources is already there. It just needs to be activated, possibly with some additional funding by Congress rather than by commissioning a yearlong report-writing process.”
January 14, 2016 By Joe Infantino, iHealthBeat
