The US government has been increasingly active in cybersecurity legislation and enforcement. Congress recently passed the Cybersecurity Act of 2015, which has spurred renewed attention to cybersecurity requirements and cyber threat information sharing. The US government continues to draw attention to how organizations can align their cybersecurity programs with the NIST Cybersecurity Framework. Moreover, a number of federal agencies including the Consumer Financial Protection Bureau, Federal Trade Commission, and Federal Communications Commission have all issued settlements relating to cybersecurity enforcement actions in recent months. In the health sector, the US Department of Health and Human Services (HHS) has been increasingly focused on cybersecurity, primarily through its HIPAA enforcement activities. Against that backdrop, three recent developments demonstrate the ways in which HHS and the health sector are expanding their cybersecurity focus beyond HIPAA Security Rule compliance.
Cybersecurity Task Force. Section 405 of the Cybersecurity Act of 2015 requires HHS to establish a Health Care Industry Cybersecurity Task Force that will create a plan for sharing information regarding threats to cybersecurity for the health care industry and recommend additional protective measures for networked medical devices and electronic health records. HHS Secretary Sylvia Burwell announced on March 1, 2016, that HHS is seeking nominations for task force members. Nominations are due by 5 p.m. Eastern on March 9, and the new task force is scheduled to have its inaugural meeting on March 17.
HIPAA-NIST Crosswalk. The HHS Office for Civil Rights (OCR) published a “crosswalk” (Crosswalk) that maps the requirements of the National Institute of Standards and Technology’s 2014 Framework for Improving Critical Infrastructure Cybersecurity (Framework) to the corresponding requirements of the HIPAA Security Rule. OCR noted that following the Framework is not sufficient to satisfy the HIPAA Security Rule. However, OCR indicated its hope that the Crosswalk will help organizations that seek to align their cybersecurity programs with both standards to identify potential gaps in their cybersecurity practices, and ease the process of transitioning from a set of cybersecurity policies and practices based on one of the standards to a program that is based on both. The Crosswalk also signals OCR’s view that organizations should consider, as part of their HIPAA Security Rule risk analysis, “whether participating in cyber-threat sharing programs is reasonable and appropriate to reduce their security risk”—as the Framework includes such sharing as part of the Risk Assessment category within the Identify function.
Framework Implementation Guide. The Health Information Trust Alliance (HITRUST), in collaboration with the Healthcare and Public Health Sector Coordinating Council, has released the Healthcare Sector Cybersecurity Framework Implementation Guide (Guide). The Guide focuses on how organizations can use the HITRUST Risk Management Framework to align their cybersecurity programs with the Framework.
Cybersecurity will grow as a key concern for the health sector as regulators continue to emphasize cybersecurity in their enforcement actions. HHS has recently imposed significant penalties related to allegations that organizations failed to properly assess and address cybersecurity risk. Another key indicator is the provision in the Cybersecurity Act of 2015 directing the HHS Secretary to establish and regularly update a set of voluntary cybersecurity best practices standards. As previously noted, organizations are well advised to pay close attention to these developments; although the standards will be “voluntary”, their publication would have a government imprimatur and could quickly become the industry standard.