Mixed support on Congress’ approval of national cybersecurity framework

The growing urgency for stronger security among health care information technology has been rippling through the industry for some time now. Providers, hospitals, patients and doctors want to know that medical and personal information is safe and secure. No matter what the cost, many in the industry have begun to take action and Washington is finally starting to follow suit. For the first time in 12 years, Congress has passed and sent significant cybersecurity legislation to the White House, according to Global Privacy and Cybersecurity practice Hunton&Williams.

Congress approves four bills
In what Hunton&Williams considered an unexpected surprise, Congress approved four bills on cybersecurity. These bills improve any lapse in federal information systems, outline and make clear the role of the Department of Homeland Security when it comes to private-sector information sharing, amplify the cybersecurity workforce, and arrange an outline of the National Institute of Standards and Technology's cybersecurity plan. The practice reported that the President is expected to sign each of these bills.

However, these bills are nothing new. Essentially, they are finalizing and pushing the agency activity that already does exist, instead of providing any new mechanisms to combat cybersecurity. In comparison, the private sector has been able to seek more detailed and novelty measures.

Only the beginning
According to Health Data Management, there is still much work to be done and instead of providing any real outline, the Cybersecurity Act of 2015 is more just a method for pushing an existing plan into motion. The act takes up several pages of the federal government spending bill, focusing on how to better improve cybersecurity in the continuously more technological field of health care. Several steps will need to take place following approval of the bills. The Department of Health and Human Services, Homeland Security and the National Institute of Standards and Technology will need to create a joint task force. In addition to strategizing and analyzing, the force will address all changes that develop in connection to network security among electronic health records. They will also provide timely information to stakeholders so that they can be better prepared.

Much is also required of the HHS within the first year of enactment, according to Health Data Management. The organization must provide a concrete plan of addressing, preventing and responding to cybersecurity threats. A leader of the division must be appointed and the role of each division outlined. Additionally, it is required that all of this must be done in the most cost-effective manner.

Perhaps most notable is the establishment of the National Cybersecurity Center of Excellence that will take place with $31.5 million in funding. The Cybersecurity Act of 2015 will also take several measures when it comes to private sector entities. The act ensures that they are provided with liability protection when sharing and receiving cyber threat data and that individuals are notified in an effective time frame if or when their personal information was shared, according to the Health Data Management's report of the Healthcare Information and Management Systems Society's analysis.

Mixed support
Despite forward movement in addressing cybersecurity threats, criticism remains. Health Data Management reported that privacy rights advocate group Electronic Frontier Foundation believes the legislation includes three bills that are dangerous. In a statement the group said, "Maybe more importantly, the bills do not address problems from the recent highly publicized computer data breaches that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees or contractors clicking malware links."

Perhaps even more important is the fact that the majority of health care patients are not able to easily access and download records of their own medical information. According to the founder of Patient Privacy Rights, Deborah Peel, M.D., the HITECH Act is supposed to ensure this right is granted to patients. The coming year will be a telling indication of how Congress and the industry will further handle this growing concern of cybersecurity.