The HHS Cybersecurity Task Force – Promoting Cooperation Not Isolation in the Health Industry

On December 18, 2015, President Barack Obama signed into effect a $1.1 trillion Omnibus spending bill (The Bill). The Bill touched on many budgetary aspects, but also included the Cyber Security Information Sharing Act (The Act), which ultimately promotes private entities to share their cyber security practices with the federal government without the risk of liability. The goal of this Act is to examine current information structures and then correct any structural weaknesses to further protect health information. The Act mandates the creation of the Healthcare Industry Cybersecurity Task Force (Task Force) in an effort to accomplish its goal. The Task Force is to be created by March 17, 2016 as to conform to the 90-day implementation provision. Further, the Task Force will only operate for one year upon enactment. 

The Task force will consist of a combined effort from the Secretary of Health and Human Services (HHS), the Director of National Institutes of Standards and Technology (NIST), and the Secretary of Homeland Security (DHS). These department heads will then further pull individuals such as healthcare industry stakeholders, cybersecurity experts, and individuals from any other agencies the Secretary deems appropriate to comprise the Task Force. The primary goal of the Task Force is to create a set of voluntary, consensus based, industry guidelines, and best practices for securing health information. The Task Force adopted this goal to provide a unified front to cyber attacks through the sharing of information across industries and agencies.

More specifically, the Task Force has outlined five responsibilities it will perform in order to arrive at the end goal of enhanced health information protection. First, the Task Force will analyze challenges facing private entities in the health industry when securing health information from cyber security attacks. This first responsibility represents the Task Force’s commitment to cooperation and integration across different industries because the Task Force will study what other players are doing in other industries to come to a conclusion of what is or is not working in the realm of cyber security. Second, the Task Force will review the challenges facing covered entities in securing networked medical devices. Third, The Secretary will provide the Task Force’s information to the health industry stakeholders. Therefore, the Secretary must disseminate the information to the stakeholders within 60 days of the Task Force’s termination. Fourth, the Task Force must establish a plan for implementing cyber security improvements in the healthcare industry that would allow the Federal government and health care industry to share actionable cyber threat indicators and defensive measures in real time. Lastly, the Task Force must report its findings and recommendations to all relevant congressional committees. The Senate committees outlined as relevant include: The Committee on Health, Education, and Pensions; the Committee on Homeland Security and Governmental Affairs; and the Select Committee on Intelligence. Conversely, the House committees listed as relevant are: The Committee on Energy and Commerce; the Committee on Homeland Security; and the Permanent Select Committee on Intelligence.

The creation of the Task Force will hopefully bring more consistency to the healthcare industry’s cyber security practices. It could also potentially give middle to small sized entities access to compliance tools that were otherwise unattainable. Further, the Task Force and the resulting cyber security practices will also allow an increase of information sharing that could potentially not only protect the healthcare industry but also other industries subject to cyber security attacks. No matter what the ultimate effect the Task Force has, it will be important for all parties involved in cybersecurity to be cognizant of the Task Force’s proposed guidelines and implementation instructions.


Andrea Torgrimson is a current second-year law student at DePaul University College of Law.  In addition to her work with the Mary and Michael Jaharis Health Law Institute at DePaul, Andrea is also a staff writer for the DePaul Law Review.