The Cybersecurity Act of 2015 established a framework for the sharing of cybersecurity information between the federal government and private industry. Among its various provisions, Section 405 of the act created a task force comprised of federal government officials and private industry representatives to review cybersecurity risks in the health care industry.
After four public meetings and numerous internal planning sessions, the Task Force has completed its “Report on Improving Cybersecurity in the Health Care Industry.” Although it has yet to be formally presented to Congress, the report was apparently finalized several months ago. The report made six major recommendations (the "Imperatives") to address identified risks, and a substantial number of proposed action items for Congress, the Department of Health and Human Services (HHS), other government agencies and private industry.
The Report organized its recommendations under six Imperatives:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity;
- Increase the security and resilience of medical devices and health IT;
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities;
- Increase health care industry readiness through improved cybersecurity awareness and education;
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure; and
- Improve information sharing of industry threats, weaknesses, and mitigations.
Of particular importance to the authors of the report was the designation of one individual within HHS to prioritize and guide the implementation of the proposed recommendations. Also noteworthy is the report's recommendation to utilize the cybersecurity assessment tools developed by the National Institute of Standards and Technology (NIST), including the Cybersecurity Framework and the Baldrige Cybersecurity Excellence Builder.
The Trump administration has repeatedly shown that cybersecurity is high on its policy agenda. In March 2017, the president issued a 2018 budget blueprint, outlining plans for major investments in cybersecurity, including additional funding to protect critical infrastructure in areas such as energy, transportation and election systems, and improve defense cyber network capabilities. The president's May 23 budget proposal included $1.5 billion for the Department of Homeland Security for cybersecurity, and additional funds to the National Institute of Standards and Technology to complete its work in updating the Cybersecurity Framework. The presidential budget proposal, while having no direct rule of law, is used by each president to outline the priorities of an administration and to serve as a guide to Congress for prioritizing and funding programs. Based on the funding requests for additional cyber-related efforts across most of the federal agencies, it would appear that the administration seeks to prioritize funding for the efforts outlined within the Task Force Report.
The urgent need for review of the health care industry’s cyber-health was thrown into the spotlight by a recent global cyberattack that impacted—among other entities—the UK’s National Health Service, the details of which we discussed in our May 15 alert, “Global Ransomware Attack: What Your Organization Needs to Know Now.” In addition, these priorities are reflected in a recent executive order calling for a comprehensive review of cybersecurity threats to the federal government, discussed in our May 16 alert, “Executive Orders Require Review of Federal IT and Cybersecurity Resources.”
Drinker Biddle has assembled a cross-industry team of lawyers and senior professionals to review the report in detail. Stay tuned for a series of articles on the impact of the recommendations and action items on existing HHS and FDA regulations affecting the health care industry; any necessary changes to existing NIST technical standards; and the required steps that will need to be taken to integrate the proposed protocols into the health care industry infrastructure.