Don’t expect legislative defenses against cyberattacks anytime soon

John FrankDoctors and others in healthcare who were hoping to see some immediate relief from cyber attacks thanks to the Cybersecurity Information Sharing Act of 2015 will need to wait until next year before they begin getting any help, say those familiar with the legislation. 

While healthcare is the only business segment specifically mentioned in the law, the statute mandates study of the issue of healthcare cybersecurity, not immediate actions. 

Leslie Krigstein, vice president of congressional affairs with the College of Healthcare Information Management Executives (CHIME) says not to expect major recommendations on healthcare data security until March 2017. But she applauds the legislation for starting the process of looking systematically at healthcare cyber threats. 

The law was enacted in late 2015 as part of a larger legislative package. It calls on the U.S. Department of Health and Human Services (HHS) to establish a cybersecurity czar to study ways of protecting healthcare from cyber threats. 

Under the law, HHS also must become part of an interagency cybersecurity task force with the Department of Homeland Security and the National Institute of Standards and Technology. The thinking is that healthcare can learn from best practices that industries such as finance already have implemented, says Lee Kim, JD. FHIMSS, director, privacy and security, with the Healthcare Information and Management Systems Society (HIMSS).

In addition to naming a head of cybersecurity, HHS must create a healthcare task force that includes an insurance provider, a healthcare information clearing house, healthcare provider, a patient or consumer, pharmacists, developers or vendors of healthcare technology, laboratories and pharmaceutical or medical device manufacturers, says Lee.

The task force will examine challenges and solutions for healthcare cybersecurity and has one year from its formation to deliver its report. Eventually HHS will develop a set of voluntary cybersecurity guidelines based on that report that healthcare providers can look to for enhancing their own security.

The law also protects healthcare organizations from liability when they share cyber threat information, as long as patient personal data is scrubbed from any shared files.

Critics fault the measure for not mandating actions to counter cyber threats. “I just don’t think they’re really doing enough,” says Jay Trinckes, CISSP, CISM, senior practice lead of the healthcare and life sciences practice at Coalfire, an Atlanta-based cyber risk management consulting firm. “Is it really going to do anything to enhance security in the industry?”

Supporters, such as CHIME and HIMSS, counter that the law will help healthcare because it will, for the first time, create one resource within HHS that providers can look to for cybersecurity best practices. “We’re in a state in healthcare where unfortunately, for cybersecurity, there isn’t one set of best practices,” says Lee.

Both HIMSS and CHIME endorse the law’s provision that whatever guidelines are developed will be voluntary. Responding to critics who want mandatory guidelines, Lee says it’s too early to know what guidelines would be effective, so creating mandates now would be counterproductive.

A health IT bill being considered in the Senate Health, Education, Labor and Pensions Committee doesn’t look at the broad issue of healthcare data security, says Krigstein. Instead, it says only that electronic health record manufacturers must specify that they have considered security when designing their systems. So the 2015 cybersecurity law likely is all that healthcare will get from Washington on the topic this year. 

John Frank has more than 39 years of experience as a professional journalist and is a contributing author for Medical Economics.