December 29, 2015 | Written by: Tony Trenkle
On Christmas morning I received an unwelcome gift in the form of an email from a company, CSID, stating that they found activity related to one or more of my CSID identity monitoring services. CSID then went on to say that they had matched my information to “information being sold on the dark web”. For those of you not familiar with CSID, they are providing identity theft monitoring and restoration services for the millions of individuals, who like me, were impacted by the US Federal Government’s Office of Personnel Management data breach. Talk about a Christmas wakeup call! Not wanting this Grinch to steal my Christmas, I quickly logged on to the CSID site and found that my home email address had been compromised. The recommended fix was easy, change my account password.
My small inconvenience is only an isolated example of much larger criminal activities that are happening every day with information on-line. Unfortunately what is now occurring is only the tip of the iceberg when looking ahead to a totally interconnected world. Marc Goodman, in his recent book, Future Crimes, describes the on-line environment as becoming increasingly more dangerous with criminals taking full advantage of a ubiquitous network and more powerful IT tools to create new lucrative businesses and inflict harm to organizations and individuals. All industries are being impacted but most especially the healthcare industry.
Over the last ten years, fueled in part by large government subsidies, healthcare has become much more dependent on technology and data. How healthcare is managed and paid for is increasingly being done through data-driven value models and networked coordinated care. Formerly siloed provider practices with paper patient records are becoming increasingly electronic and integrated with or being subsumed by larger organizations. Clinical data is becoming more readily available, and increasingly medical devices and humans wearing devices are providing additional information and network connection points. Health data breaches are increasing rapidly and health data is becoming much more valuable to criminal elements.
The health industry, at least since the HIPAA legislation and regulations were enacted, has primarily focused on compliance, protecting networks and back end databases, sometimes from outsiders but also from insider exploitation. As the industry evolves from the old model to the more data-intensive, networked healthcare model, the management of security and privacy risks has to change rapidly to keep pace with the new environment.
Congress, with language in the recent omnibus budget bill, signed by the President on December 18, 2015, has signaled their concern with the increasing healthcare security vulnerabilities. There are also larger cybersecurity provisions in the legislation but one section (SEC. 405. Improving cybersecurity in the healthcare industry) specifically deals with the healthcare industry. While the section has nothing earth shattering and prescribes the usual write a report and create a taskforce requirements, it does begin to lay out a way for government and industry to forge a closer relationship to systemically deal with current and future cybersecurity challenges. There are three key parts in Section 405, each of which could create a pathway for better industry-wide security practices. They address several critical areas: Creating a more coordinated cybersecurity threat management approach between the Department of Health and Human Services (HHS) agencies and with their ecosystems, establishing a plan that should lead to better and more timely cyber threat communications within the health industry, and finally creating a national health-specific voluntary cybersecurity framework . Let’s look at each of these areas in a little more detail.
The first part basically deals with organizing HHS and its various operating agencies to better coordinate managing cyber threats. HHS has to submit a report to Congress in which they need to designate a central point of contact, and more importantly “a plan from each relevant operating division and subdivision of the Department of Health and Human Services on how such division or subdivision will address cybersecurity threats in the health care industry, including a clear delineation of how each such division or subdivision will divide responsibility among the personnel of such division or subdivision and communicate with other such divisions and subdivisions regarding efforts to address such threats.” This language is very explicit in how it promotes the HHS agencies working more closely together on cybersecurity issues and addressing their ecosystems’ cybersecurity threats. If this is done well, it could be very beneficial to the health industry. It will be interesting to see how HHS decides where the overall leadership of this action will reside. The Office of the National Coordinator is one choice but does very little internal HHS coordination activities. The Office of Civil Rights is another possibility since they “own” the HIPAA Security and Privacy oversight but they have always approached those areas from more of a legal view. There is also the HHS Office of the Chief Information Officer, which manages overall cybersecurity for HHS but does not really focus on the national health industry ecosystem.
The second action item is forming a public-private taskforce that will “establish a plan for creating a single system for the Federal Government to share information on actionable intelligence regarding cybersecurity threats to the health care industry in near real time…, including which Federal agency or other entity may be best suited to be the central conduit to facilitate the sharing of such information.” This is another area, very much needed, whose success will largely depend on how it is managed within HHS. It will also be interesting to see how much influence the National Institute of Standards and Technology (NIST) has over the taskforce, given that they were specifically called out in the legislation.
The third area establishes a “single, voluntary, national health-specific cybersecurity framework” that consists of “a common set of voluntary, consensus based, and industry-led standards, security practices, guidelines, methodologies, procedures, and processes that serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations.” Congress makes it clear, using the word “voluntary” five times, that this will not a regulatory-based approach and will need heavy input from NIST, Department of Homeland Security, and the health industry. They also make it clear that whatever is developed has to be “consistent” with HIPAA and HITECH. The framework area is the weakest of the Law’s provisions but does set in place a way to develop more coordinated industry-wide approaches to managing cybersecurity.
As always, the challenge is how successfully the government policy teams can take the legislation and operationalize its provisions. Section 405 can be a good step forward towards better coordinating health industry cybersecurity management if it does not become an overly bureaucratic, report-driven effort. Congress will undoubtedly consider stronger legislation if they are not satisfied with how Section 405 is implemented.