Why HHS Needs a Privacy Leader and a Cybersecurity Leader

By Nam Nguyen and Sayee Balaji Chandrasekaran, Chair and Vice Chair, EHRA Privacy & Security Workgroup

_Security and Privacy are not the same. A Security leader_s primary concern is protecting and securing data. A Privacy leader_s primary concern is who can access certain data and whaCyber-threats are all over the news, including attempts to hack elections, steal corporate trade secrets, and hold medical records for ransom. Phishing is rampant, and is the way most hackers ultimately get into secure systems. The U.S. government has, of course, taken notice, and is taking action on several fronts.

One of those fronts is healthcare, with the release by HHS of the Health Care Industry Cybersecurity Task Force’s “Report on Improving Cybersecurity in the Health Care Industry,” which was delivered to Congress in June 2017.  The task force wrote, “Our nation must find a way to prevent our patients from being forced to choose between connectivity and security.”

EHRA welcomes this report, which we view as a path forward for increasing security in the healthcare sector.  The report directly aligns with two of EHRA’s privacy and security positions:

  1. That organizations should manage risk by leveraging a risk-based framework such as NIST’s Cybersecurity Framework.
  2. That harmonization of existing and future laws and regulations that directly or indirectly apply cybersecurity standards or best practices is necessary to reduce the burden on the industry (e.g. Physician Self-Referral Law, the Anti-Kickback Statute, and multiple breach notification laws on both the state and federal level).

Privacy and security are two separate yet integral parts of any cybersecurity framework; they have many overlaps and often, particularly in healthcare, we can’t talk about security without also talking about privacy.

Security and Privacy are not the same. A Security leader’s primary concern is protecting and securing data. A Privacy leader’s primary concern is who can access certain data and what they are allowed to do with that data.

That’s where we see a key recommendation missing from the Task Force’s report: creation of a privacy leader role at HHS, separate and equal to the cybersecurity leader role recommended in the report.

Complex healthcare privacy concerns, such as de-identification, secondary use of patient data, patient choice consent, and HIPAA and non-HIPAA protected health information concerns warrant an independent privacy leader to act as a consensus authority on healthcare privacy and protecting personally identifiable information (PII).

A 2016 GAO report underscores the need for a privacy-focused officer within HHS. The report, HHS Needs to Strengthen Security and Privacy Guidance and Oversight, found that “OCR investigations, industry stakeholders, and HHS’s own audits have shown that covered entities and their business associates face challenges in implementing the Security and Privacy Rules.” In 2017 Congressional testimony, Gregory C. Wilshusen, GAO’s Director of Information Security Issues, again pointed out that “the federal government needs to better oversee protection of PII.”

Ideally a cybersecurity leader and and a privacy leader will drive policy implementation, and improve cybersecurity and privacy information sharing at all levels of the healthcare industry. Improved sharing of cybersecurity threats reduces risks for the entire healthcare community. However, it will be important to create guidelines on implementation of enhanced information sharing, in order to ensure that protected health information (PHI) remains confidential.

An HHS Privacy leader will also help organizations that treat or otherwise interact with European Union residents comply with the EU’s new General Data Protection Regulation. The GDPR, which was designed “to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy,” will be enforced beginning May 25, 2018. It extends the application of European legislation to companies outside the EU, and encompasses breach notifications, access and portability, privacy, data protection and more.

Another important task ahead for HHS—and for everyone in healthcare—is the Health Care Industry Cybersecurity Task Force report’s imperative to “increase health care industry readiness through improved cybersecurity awareness and education.” EHRA seconds this imperative, but would add that improving privacy/HIPAA awareness education is equally important. We support the development and dissemination of cybersecurity and privacy education and awareness programs at all levels and especially a focus on rural, small, and medium-sized providers.  We’ll share data protection best practices for healthcare organizations in a future blog post.

HHS has an important role in ensuring that America’s healthcare industry is aware of and implementing best practices for cybersecurity and privacy.  This national priority deserves two experts leading the department’s efforts.

Leave a comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: