By Nam Nguyen and Sayee Balaji Chandrasekaran, Chair and Vice Chair, EHRA Privacy & Security Workgroup
Cyber-threats are all over the news, including attempts to hack elections, steal corporate trade secrets, and hold medical records for ransom. Phishing is rampant, and is the way most hackers ultimately get into secure systems. The U.S. government has, of course, taken notice, and is taking action on several fronts.
One of those fronts is healthcare, with the release by HHS of the Health Care Industry Cybersecurity Task Force’s “Report on Improving Cybersecurity in the Health Care Industry,” which was delivered to Congress in June 2017. The task force wrote, “Our nation must find a way to prevent our patients from being forced to choose between connectivity and security.”
EHRA welcomes this report, which we view as a path forward for increasing security in the healthcare sector. The report directly aligns with two of EHRA’s privacy and security positions:
- That organizations should manage risk by leveraging a risk-based framework such as NIST’s Cybersecurity Framework.
- That harmonization of existing and future laws and regulations that directly or indirectly apply cybersecurity standards or best practices is necessary to reduce the burden on the industry (e.g. Physician Self-Referral Law, the Anti-Kickback Statute, and multiple breach notification laws on both the state and federal level).
Privacy and security are two separate yet integral parts of any cybersecurity framework; they have many overlaps and often, particularly in healthcare, we can’t talk about security without also talking about privacy.
Security and Privacy are not the same. A Security leader’s primary concern is protecting and securing data. A Privacy leader’s primary concern is who can access certain data and what they are allowed to do with that data.
That’s where we see a key recommendation missing from the Task Force’s report: creation of a privacy leader role at HHS, separate and equal to the cybersecurity leader role recommended in the report.
Complex healthcare privacy concerns, such as de-identification, secondary use of patient data, patient choice consent, and HIPAA and non-HIPAA protected health information concerns warrant an independent privacy leader to act as a consensus authority on healthcare privacy and protecting personally identifiable information (PII).
A 2016 GAO report underscores the need for a privacy-focused officer within HHS. The report, HHS Needs to Strengthen Security and Privacy Guidance and Oversight, found that “OCR investigations, industry stakeholders, and HHS’s own audits have shown that covered entities and their business associates face challenges in implementing the Security and Privacy Rules.” In 2017 Congressional testimony, Gregory C. Wilshusen, GAO’s Director of Information Security Issues, again pointed out that “the federal government needs to better oversee protection of PII.”
Ideally a cybersecurity leader and and a privacy leader will drive policy implementation, and improve cybersecurity and privacy information sharing at all levels of the healthcare industry. Improved sharing of cybersecurity threats reduces risks for the entire healthcare community. However, it will be important to create guidelines on implementation of enhanced information sharing, in order to ensure that protected health information (PHI) remains confidential.
An HHS Privacy leader will also help organizations that treat or otherwise interact with European Union residents comply with the EU’s new General Data Protection Regulation. The GDPR, which was designed “to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy,” will be enforced beginning May 25, 2018. It extends the application of European legislation to companies outside the EU, and encompasses breach notifications, access and portability, privacy, data protection and more.
Another important task ahead for HHS—and for everyone in healthcare—is the Health Care Industry Cybersecurity Task Force report’s imperative to “increase health care industry readiness through improved cybersecurity awareness and education.” EHRA seconds this imperative, but would add that improving privacy/HIPAA awareness education is equally important. We support the development and dissemination of cybersecurity and privacy education and awareness programs at all levels and especially a focus on rural, small, and medium-sized providers. We’ll share data protection best practices for healthcare organizations in a future blog post.
HHS has an important role in ensuring that America’s healthcare industry is aware of and implementing best practices for cybersecurity and privacy. This national priority deserves two experts leading the department’s efforts.
EHRA Blog 
Bradley Saull (@BradleySaull)
/ April 5, 2018I generally agree. But if HHS does more in cybersecurity, don’t put the HHS CISO in charge of healthcare sector cybersecurity: they already have a full-time job securing HHS internal systems under the Federal Information Security Management Act (FISMA).
With the passage of the Cybersecurity Act of 2015, Congress took an important first step in creating processes and resources to assist all critical infrastructure sectors in identifying and defending against cyber threats. For many of these critical infrastructure sectors, the Department of Homeland Security (DHS) is the lead coordinating agency. However, in other sectors, a sector-specific agency (SSA) has the lead in cyber coordination while DHS plays a supporting role. Examples of this structure include the Treasury Department for the financial sector, the Department of Energy for the energy sector, the Environmental Protection Agency for the water sector, and the Department of Health and Human Services for the healthcare sector. Since before the law was passed, and continuing today, each of the critical infrastructure sectors are at different levels of maturity in combatting cyber threats as various private entities within each sector have chosen to invest in cybersecurity as a business imperative to their success. The financial services sector has long been the gold standard in cybersecurity coordination as many private companies have invested in cybersecurity protections and sharing mechanisms based on how interconnected financial transactions are and the economic consequences at stake if there is a major breach. As the SSA for the healthcare sector, it was natural for HHS to rely on a place where the HHS workforce had cybersecurity expertise – the Chief Information Security Officer (CISO). However, is that the right answer long-term? I don’t believe so.
Other sector specific agencies have given broader sector cybersecurity to another entity within their Department, not to the CISO. These sectors have government coordinating councils and sector-specific coordinating councils as governance structures supporting them. For instance, the CISO at DHS has FISMA responsibility for DHS networks, but is not responsible for securing government systems government-wide. Another office (NPPD) within DHS has that role, with various governance structures supporting them. In February 2018, U.S. Secretary of Energy Rick Perry announced the establishment of a new Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at the U.S. Department of Energy (DOE) to bolster DOE’s efforts in energy sector cybersecurity. HHS should look to these other SSAs as a model to follow.
LikeLike