Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
June 16 — Regulators have released final procedures for how the government handles cybersecurity information shared by companies, but health-care organizations are already embracing data-sharing communities as a way to better prepare for cyberthreats.
The Department of Homeland Security and the Department of Justice also released instructive guidance to companies that wish to gain liability protection if they share cybersecurity threat information with the government (81 Fed. Reg. 39,061, 6/15/16) (RIN:2016–134742). The documents outline the protections private companies can obtain under the Cybersecurity Information Sharing Act (CISA), passed in 2015.
While the health-care industry welcomed the guidance, many hospitals and payer organizations over the past year have used both informal programs and federal data-sharing organizations to share cyberthreat information, Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society, told Bloomberg BNA.
Those federal organizations include the National Health Information Sharing and Analysis Center (NH-ISAC), a public-private partnership between health-care organizations and federal agencies such as the DHS, he said.
“CIOs and CISOs of health care organizations are having closed doors meetings about these threats and looking to get information about them,” Kim said, referring to chief information officers and chief information security officers. “Health care has definitely been under attacks and there's a large focus on being prepared.”
The new procedures bring no reporting requirements for health-care organizations or other private sector organizations, Kim said.
CISA provides private entities that “promptly” share their cyberthreat data with the government immunity from any public or private cause of action. CISA extends protections to companies who share a “cyber threat indicator or defensive measure” with the government.
Although the guidelines for nonfederal entities outline cybersecurity threats and defensive measures, they don't define personally identifiable information (PII) or provide an easy mechanism for companies to delete sensitive data.
Specifically, the guidance provides that a nonfederal entity that wishes to share information with a federal agency must remove PII that isn't “directly related to a cybersecurity threat.” Although the guidance doesn't define PII, it lists types of information that should be excluded, such as: protected health information, human resource information, education history, property ownership and information protected under the Children's Online Privacy Protection Act.
Mordecai Rosen, senior vice president of software for the cybersecurity company CA Technologies, said it is important for the DHS and DOJ to “help organizations understand there are tools to help them remove PII automatically, helping to lessen concerns about liability and enhance confidence” in the cybersecurity information sharing program.
The agencies should work on a “sector specific” approach to “promote best practice workshops on privacy protection, and encourage participation in the information sharing standards development process,” he said at a June 15 House Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee hearing.
Caponi said the goal of CISA and the underlying rules “is to facilitate real time, or close to real time, sharing of threat information” and “provide a framework for private companies to share information” for a “more coordinated effort to repel cyberattacks.”
After failing to reconcile cybersecurity sharing bills promulgated by the House and Senate, Congress incorporated CISA as part of the Consolidated Approproations Act, which was signed by President Barack Obama Dec. 16, 2015. The final rules were due within 180 days of passage of CISA.
To contact the reporter on this story: Alex Ruoff in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Kendra Casey Plank at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)