What Lawmakers Are Doing About Health Care Cybersecurity

June 4, 2015

Topics: Data Privacy Security, Health Information Technology

By Rachel Schulze, staff writer

Although recently proposed bills being considered by Congress and policy proposals from the Obama administration that take aim at cybersecurity are not specifically aimed health care, they do touch on the industry.

'Year of the Health Care Data Breach'

A recent Ponemon Institute report found that nearly two-thirds of health care organizations say they have experienced an electronic information-based security incident within the last two years. Meanwhile, three major insurers so far this year have disclosed security incidents.

"[C]oming into the year, many security and privacy experts expected that this would be the year of the health care data breach, not unlike last year, where retail and financial services [were] under attack," ID Experts President and Co-Founder Rick Kam said in a podcast accompanying the report, adding, "And 2015, really, unfortunately, has become the year of the health care data breach."

Health Care Industry Can Benefit From 'Lessons Learned'

Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance, said, "One of the biggest things I think the health care industry can do is take some 'lessons learned' from other industries that have long done a very good job -- such as financial services -- of information sharing." For example, she noted that the health care industry could further develop its Information Sharing and Analysis Center -- a hub through which "critical infrastructures" share sector-related information within their sectors, with other sectors and with the government.

Members of Congress -- as well as the White House -- are seeking to encourage cyber-threat information sharing within industries and between the private sector and government.

Two measures under consideration in the House -- the Protecting Cyber Networks Act (HR 1560) and the National Cybersecurity Protection Advancement Act (HR 1731) -- would "formalize the process for information sharing and encourage private entities to share amongst themselves and with the government," according to HITRUST.

The bills also would "provide legal certainty that companies sharing that information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time and taking actions to mitigate cyberattacks," HITRUST noted.

The bills have been combined, and lawmakers intend to work with the Senate -- where similar legislation (S 754) also is pending -- to create a compromise measure.

The White House in statements "commend[ed]" the lawmakers' efforts on the House bills but also voiced concerns over "sweeping liability protections."

CynergisTek CEO Mac McMillan said it is "unclear at the moment" how the House bills would affect health care, noting that there has been some debate about "exclusivity around HIPAA and HITECH."

Nonetheless, he said that the bills "obviously seek to establish a standard for how we secure data and how we secure networks and how we apply security in environments, which is one of the things that health care quite frankly is missing." He added, "Health care has the HIPAA security rule, but it doesn't have a specific framework that organizations have to follow. So each organization picks and chooses whatever framework they want to use."

HITRUST supported the House bills, saying they "go far in addressing information sharing priorities and provide clarity for health care companies."

However, some privacy advocates have expressed concern that that the measures will result in more information being sent to the government, according to Angela Rose, director of Information Management Practice at the American Health Information Management Association.

In a joint letter, several open government and civil liberties groups expressed their opposition to the PCNA, writing that the measure "would undermine government transparency and potentially result in the bulk collection and mining of sensitive personal information by intelligence agencies that would have little to do with cybersecurity."

Meanwhile, the White House in January released a set of cybersecurity legislative proposals that includes an information sharing measure that aims to "codify information sharing" within private entities and between private entities and the government. The plan encourages private entities to share cybersecurity information with the government, which would then share it with "relevant federal agencies" and Information Sharing Analysis Organizations developed and run by the private sector. The government would offer targeted liability protection to participating companies.

Better Targeting Cybercrime

In addition, the White House's proposal asks lawmakers to modernize law enforcement provisions so that they can better target cybercrime.

Criminal attacks have overtaken employee errors as the number-one cause of data breaches for health care organizations, according to Ponemon Institute Chair and Co-Founder Larry Ponemon.

Patterson said, "The criminal element is highly organized, highly well-funded and is very much into information sharing." She added that in order to help law enforcement respond to cybercrime, the sector needs to be well-funded so officials "have the ability to ... adapt and innovate their tools and resources."

In addition, she noted the U.S. needs to look at how it could update penalties to help deter such cybersecurity crimes. She said, "We do need penalties that are stiff enough to make an actual impact as opposed to just imposing some nominal financial-type kind of penalty."

Meanwhile, to get organizations to improve their cybersecurity, Kam suggested adopting measures that hold executives personally accountable. He pointed to the effect the Sarbanes-Oxley Act has had on the financial services sector. Under Sarbanes-Oxley, public companies must have a high-level company executive sign off that financial reports are accurate to the best of his/her knowledge. The signer faces repercussions if the Securities and Exchange Commission learns that the information was misrepresented. "That changed behavior dramatically in terms of ... the right people caring," Kam said.

Kam noted that a personal accountability element could be added to HIPAA. He said that if the person responsible for resource allocation is personally accountable under the law "that will change behavior."

Health Care Excluded

The White House in its legislative proposals also has called for Congress to create a national 30-day data breach notification standard that would supersede existing state data breach laws.

However, the White House's breach proposal, the Personal Data Notification & Protection Act, would not override the HITECH Act, which updated HIPAA's breach notification requirements. "What the president's proposing is for all other entities -- not health care," Rose said.

Under HIPAA and HITECH, covered entities have 60 days to report a data breach to affected patients. Some states have implemented shorter notification periods, and those stricter state laws take precedent over the more-lax federal requirements.

G.S. Hans -- policy counsel and director of Center for Democracy & Technology-San Francisco -- in a blog post raised concerns about the PDNPA's pre-emption clause. He wrote, "At the very least, federal data breach legislation should only pre-empt state laws that address the same areas as a federal law -- any exemptions to federal regulation should also apply to pre-emption."

McMillan predicted that having a national breach notification law in place for all industries, not just health care, would lead to "an exponential increase in the number of breaches" reported in the U.S.

"I think what's [going to] happen as an effect of that ... is that it's [going to] really shine a bright light on how little attention is given to privacy and security by corporate America," McMillan said. He added, "I think that's [going to] precipitate other, more stringent laws. So I think that will force legislators to begin to look at, 'Well, how do we fix this?' 'How do we get the number of breaches to go down?'"