On
December 18, 2015, President Barack Obama signed into effect a $1.1 trillion Omnibus spending bill (The Bill). The Bill touched on many budgetary
aspects, but also included the Cyber Security Information Sharing Act (The
Act), which ultimately promotes private entities to share their cyber security
practices with the federal government without the risk of liability. The goal of this Act is to examine current
information structures and then correct any structural weaknesses to further
protect health information. The Act
mandates the creation of the Healthcare Industry Cybersecurity Task Force (Task
Force) in an effort to accomplish its goal. The Task Force is to be created by March 17, 2016 as to conform to the 90-day
implementation provision. Further, the Task Force will only operate for one
year upon enactment.
The Task force will consist of a combined effort from the Secretary of Health and Human Services (HHS),
the Director of National Institutes of Standards and Technology (NIST), and the
Secretary of Homeland Security (DHS). These department heads will then further
pull individuals such as healthcare industry stakeholders, cybersecurity
experts, and individuals from any other agencies the Secretary deems appropriate
to comprise the Task Force. The primary
goal of the Task Force is to create a set of voluntary, consensus based,
industry guidelines, and best practices for securing health information. The Task Force adopted this goal to provide a unified front to cyber attacks through the sharing of information
across industries and agencies.
More
specifically, the Task Force has outlined five responsibilities it
will perform in order to arrive at
the end goal of enhanced health information protection. First, the Task Force
will analyze challenges facing private entities in the health industry when
securing health information from cyber security attacks. This first responsibility represents the Task
Force’s commitment to cooperation and integration across different industries
because the Task Force will study what other players are doing in other
industries to come to a conclusion of what is or is not working in the realm of
cyber security. Second, the Task Force
will review the challenges facing covered entities in securing networked
medical devices. Third, The Secretary
will provide the Task Force’s information to the health industry stakeholders. Therefore, the Secretary must disseminate the
information to the stakeholders within 60 days of the Task Force’s termination. Fourth, the Task Force must establish a plan
for implementing cyber security improvements in the healthcare industry that
would allow the Federal government and health care industry to share actionable
cyber threat indicators and defensive measures in real time. Lastly, the Task Force must report its
findings and recommendations to all relevant congressional committees. The Senate committees outlined as relevant include: The Committee on Health, Education, and Pensions;
the Committee on Homeland Security and Governmental Affairs; and the Select
Committee on Intelligence. Conversely,
the House committees listed as relevant are: The Committee on Energy and
Commerce; the Committee on Homeland Security; and the Permanent Select
Committee on Intelligence.
The creation of the Task Force will hopefully
bring more consistency to the healthcare industry’s cyber security
practices. It could also potentially
give middle to small sized entities access to compliance tools that were
otherwise unattainable. Further, the
Task Force and the resulting cyber security practices will also allow an
increase of information sharing that could potentially not only protect the
healthcare industry but also other industries subject to cyber security attacks. No matter what the ultimate effect the Task
Force has, it will be important for all parties involved in cybersecurity to be
cognizant of the Task Force’s proposed guidelines and implementation
instructions.
Andrea Torgrimson is a current second-year law
student at DePaul University College of Law.
In addition to her work with the Mary and Michael Jaharis Health Law Institute
at DePaul, Andrea is also a staff writer for the DePaul Law Review.