The healthcare sector has long been seen as one of the most vulnerable to cyberintrusions and came in for a little special attention in the cybersecurity bill signed into law in December.
That may have been overdue: Hackers compromised nearly 100 million healthcare records in 2015, according to an IBM Security report, the most of any industry.
The recently passed Cybersecurity Act of 2015 created a legally protected framework for sharing “cyberthreat indicators” between the private sector and government.
But it also contained a provision requiring the Department of Health and Human Services, with an assist from the National Institute of Standards and Technology and the Department of Homeland Security, to launch a multipronged initiative aimed at improving the cybersecurity posture of the health sector.
The HHS secretary has 60 days from the Dec. 18 bill signing to “convene healthcare industry stakeholders” in order to establish a task force on cybersecurity that will analyze cyberefforts in other sectors, barriers to improvements and challenges.
The centerpiece will be a collaborative process largely modeled on NIST’s 13-2014 effort to develop a framework of cybersecurity standards.
The language was drafted by Senate Health, Education, Labor and Pensions Chairman Lamar Alexander, R-Tenn., and ranking member Patty Murray, D-Wash., and folded into the Senate’s version of the cyberbill before floor debate in October. It survived negotiations with the House and set off the 60-day clock to get the initiative underway.
Health groups including the American Hospital Association supported the proposal, which is seen as giving the private sector a leading role in developing cybersecurity policy.
HHS, and its many cybersecurity efforts, are often viewed skeptically by congressional Republicans.
But the department is one of the few federal agencies to have established meaningful metrics for assessing industry cybersecurity efforts, according to a recent Government Accountability Office study that may have come as a surprise to some.
This is considered a collaborative process that could create a way to move HHS beyond the typical confrontations between regulators and industry and into a more cutting-edge position on cybersecurity.
The collaboration should lead to a “single, voluntary, national health-specific cybersecurity framework,” according to the legislation.
That would involve “a common set of voluntary, consensus-based and industry-led standards, security practices, guidelines, methodologies, procedures and processes that serve as a resource for cost-effectively reducing cybersecurity risks for a range of healthcare organizations.”
It would support “voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats.”
At the same time, it would be consistent with security and privacy mandates under the Health Insurance Portability and Accountability Act.
It could be a tall order, but the NIST framework experience offers a promising model. That process included multiple public comment periods and a half-dozen workshops around the country. The goal was to ensure that business participants had a sense of ownership.
NIST is in the midst of a new public comment period on ways to keep its framework fresh and vibrant, an exercise that could help inform the health sector endeavor.
Assistance from NIST could help HHS create the environment of trust that will be needed to make this collaborative process work. It will also require steady and wholehearted support from industry, the leadership of HHS and from White House cyberofficials who will be leaving their offices in a year.
But if a framework-based approach can succeed in the health sector, it would be a major success for advocates of collaboration and a real boost heading into the next administration.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
