New Funding Law Requires HHS to Issue Cybersecurity Guidelines

Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.

January 2016 Volume 16 Issue 1

Covered entities (CEs) and business associates (BAs), especially smaller ones that have trouble affording compliance tools, may soon get some low-cost assistance on combating cyber threats, thanks to Congress.

The help will be courtesy of the recent funding legislation that provides government appropriations through this fiscal year, signed into law by President Obama on Dec. 28. But it falls short of what could have been, and what some security experts believe is needed.

Under the legislation (P. L. No. 114-113), HHS is called on to impanel a “health care industry cybersecurity task force,” within 90 days of passage of the law, whose members will hammer out “voluntary standards” for health care cybersecurity.

The idea for this came from S. 754, the Cybersecurity Information Sharing Act of 2015, which the Senate passed on Oct. 27. Portions of this Senate bill and two others introduced in the House were incorporated into the budget law. But the standards were originally to be part of a “single, voluntary, national health-specific cybersecurity framework.” The new legislation makes no mention of a framework.

Instead, the cybersecurity provisions, found in a section titled “Aligning Health Care Industry Security Practices,” call on HHS to “establish, through a collaborative process with the Secretary of Homeland Security, health care industry stakeholders, the Director of the National Institute of Standards and Technology (NIST), and any Federal entity or non-Federal entity the Secretary determines appropriate, a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes that:

·         “serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations;

·         “support voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats;

·         “are consistent with…the standards, guidelines, best practices, methodologies, procedures, and processes developed” under the National Institute of Standards and Technology Act and with HIPAA and the HITECH Act; and

·         “are updated on a regular basis and applicable to a range of health care organizations.”

The law also calls for the development of a system for private entities to share cyber threat information and incidents with the federal government, after removing personal information.

The new legislation also requires the establishment of a task force that will “analyze how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries”; “review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record”; and “provide the Secretary with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry.”

‘Congress Blew It’

Last year, Mac McMillan, president of the health care IT consulting firm CynergisTek, expressed a fear to RPP that Congress, in drafting the final legislation, might weaken the provisions “to the point that it’s not effective at serving the industry.” He favors a mandatory framework, but also argued that the security rule itself needed to be scrapped or at least updated (RPP 11/15, p. 8).

McMillan terms the changes in the final law language “significant,” and says the new legislation “opens the door to wasteful, often proprietary, and costly programs like what we see in the credit card industry with the Payment Card Industry Data Security Standard, which has not done anything to stem the risk of breaches to financial information.”

According to McMillan, NIST “has already developed all the standards we need in health care along with [a] cyber security framework. What we need are minimal requirements for meeting the standard that health care organizations can readily take and apply.”

Calling himself “very disappointed in the outcome,” McMillan says members of Congress “had a chance to erase all of the frustration associated with HIPAA and its vagaries and they blew it.”

In fact, the legislation is almost forbidding HHS to take any bold action. The legislation includes a “prohibition on new regulatory authority” and is not to be “construed to grant the Secretary any authority to promulgate regulations or set standards relating to the cybersecurity of non-Federal entities, not including State, local, and tribal governments, that was not in effect on the day before the date of enactment of this Act.”

The $1.1 trillion budget law provides funding amounts for various departments. The HHS Office for Civil Rights did not receive a requested increase in its budget. The White House requested a budget of $42.705 million, an increase of $3.907 million above the FY 2015 amount. Instead, Congress provided OCR with the same amount as last year –– $38.798 million.

CEs that conduct research should make note of another new requirement in the budget law referring to privacy. According to the legislation, “to strengthen privacy protections for human research participants,” NIH now must require that “any new and competing research projects designed to generate and analyze large volumes of data derived from human research participants…obtain a certificate of confidentiality (CoC).”

These certificates are actually granted by NIH and other HHS agencies, and provide another layer of protection against disclosure of certain information. “CoCs allow researchers to refuse to disclose names or other identifying characteristics of research subjects in response to legal demands,” according to NIH.

https://aishealth.com/archive/hipaa0116-04?utm_source=Real%20Magnet&utm_medium=Email&utm_campaign=88516992