CONGRESS DIRECTS ACTION IN HEALTHCARE CYBERSECURITY
In December of 2015 Congress passed a 2000-page spending bill which was enacted into law. Included in the text was the Cybersecurity Information Sharing Act of 2015 (CISA). While that legislation received most of the headlines, the spending bill also implemented some major developments in the field of privacy for the healthcare industry. Section 405 of Title IV directs the Department of Health and Human Services (HHS) to develop best practices for organizations in the healthcare industry.
The legislation mandates HHS to report to Congress regarding the preparedness of the health care industry in responding to cybersecurity threats. This includes identifying the HHS official responsible for coordinating threat efforts and including plans on how HHS divisions communicate with one another regarding threats. Congress also mandated a one-year task force to plan a threat reporting system in real time, and to prepare a cybersecurity preparedness information for dissemination in the healthcare industry. Most notably, HHS has been directed to collaborate with other governmental entities and experts to establish a best practices standards specific to healthcare cybersecurity. The intent is to create an industry standard and cost-effective method to reduce cybersecurity risks for healthcare organizations.
Inclusion of Section 405 of the Cybersecurity Act of 2015 reinforces the federal government’s well-established priority of protecting personal health information. Protection is necessary because of the high value of personal health information on the black market. According to the The Insurance Journal, a complete health record containing a patient’s entire health profile can fetch as much as $500. The value is based on the ability of lawbreakers to fraudulently bill insurers for medical services. Compared to industries like the credit card payment industry—which has implemented its own cybersecurity standards—the healthcare industry is woefully behind in its efforts to protect valuable private information.
Healthcare facilities, both public and private, should stay ahead of HHS and develop their own internal policies, security measures, and best practices to protect confidential information of their patients. While guidance form HHS in the future will help establish industry standard best practices, healthcare providers should evaluate their cybersecurity needs and work with experts—attorneys, technologists, and governmental agencies—to stay ahead of the curve. Undoubtedly the attention given to healthcare cybersecurity in the next years will increase the scrutiny on healthcare providers who fail to meet industry standards.