Regulators Issue Cybersecurity Threat-Sharing Rules

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Daniel R. Stoller and Alex Ruoff

June 16 — Regulators have released final procedures for how the government handles cybersecurity information shared by companies, but health-care organizations are already embracing data-sharing communities as a way to better prepare for cyberthreats.

The Department of Homeland Security and the Department of Justice also released instructive guidance to companies that wish to gain liability protection if they share cybersecurity threat information with the government (81 Fed. Reg. 39,061, 6/15/16) (RIN:2016–134742). The documents outline the protections private companies can obtain under the Cybersecurity Information Sharing Act (CISA), passed in 2015.

While the health-care industry welcomed the guidance, many hospitals and payer organizations over the past year have used both informal programs and federal data-sharing organizations to share cyberthreat information, Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society, told Bloomberg BNA.

Those federal organizations include the National Health Information Sharing and Analysis Center (NH-ISAC), a public-private partnership between health-care organizations and federal agencies such as the DHS, he said.

“CIOs and CISOs of health care organizations are having closed doors meetings about these threats and looking to get information about them,” Kim said, referring to chief information officers and chief information security officers. “Health care has definitely been under attacks and there's a large focus on being prepared.”

The new procedures bring no reporting requirements for health-care organizations or other private sector organizations, Kim said.

CISA provides private entities that “promptly” share their cyberthreat data with the government immunity from any public or private cause of action. CISA extends protections to companies who share a “cyber threat indicator or defensive measure” with the government.

Personally Identifiable Information

Although the guidelines for nonfederal entities outline cybersecurity threats and defensive measures, they don't define personally identifiable information (PII) or provide an easy mechanism for companies to delete sensitive data.

Specifically, the guidance provides that a nonfederal entity that wishes to share information with a federal agency must remove PII that isn't “directly related to a cybersecurity threat.” Although the guidance doesn't define PII, it lists types of information that should be excluded, such as: protected health information, human resource information, education history, property ownership and information protected under the Children's Online Privacy Protection Act.

Mordecai Rosen, senior vice president of software for the cybersecurity company CA Technologies, said it is important for the DHS and DOJ to “help organizations understand there are tools to help them remove PII automatically, helping to lessen concerns about liability and enhance confidence” in the cybersecurity information sharing program.

The agencies should work on a “sector specific” approach to “promote best practice workshops on privacy protection, and encourage participation in the information sharing standards development process,” he said at a June 15 House Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee hearing.

Caponi said the goal of CISA and the underlying rules “is to facilitate real time, or close to real time, sharing of threat information” and “provide a framework for private companies to share information” for a “more coordinated effort to repel cyberattacks.”

After failing to reconcile cybersecurity sharing bills promulgated by the House and Senate, Congress incorporated CISA as part of the Consolidated Approproations Act, which was signed by President Barack Obama Dec. 16, 2015. The final rules were due within 180 days of passage of CISA.

To contact the reporter on this story: Alex Ruoff in Washington at

To contact the editor responsible for this story: Kendra Casey Plank at

Request Health Care on Bloomberg Law