Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

By Zuzaka S. Ikels

In June 2017, the Health Care Industry Cybersecurity Task Force issued its Report on Improving Cybersecurity in the Health Care Industry. To view the report, click here.

The task force was created by Congress as part of the Cybersecurity Act of 2015, and is comprised of subject matter experts from the public and private sector that evaluated the cybersecurity threats, the security of IT systems, and the regulations and laws that relate to the health care industry. In the Report, the task force discusses the evolution and transition from paper to electronic healthcare records (“EHR”), and tailors the recommendations to encourage opportunities for efficiencies, research and sharing of information, while responding to the increasing threat of cybersecurity breaches to the health care providers’ technical infrastructure.

The task force explains that the health care sector has only made financial investments in cybersecurity in the last five years, while rapidly expanding the use of the Internet of Things (internet-connected, medical devices) and EHR data, which magnifies the risk of breaches and theft. The Report discusses the growing risk of cyber incidents regarding patient data, which is an acute threat with the rise and sophistication of ransomware attacks that seek to hold data hostage that involves critical patient information and monitoring devices.

The Report also criticizes the overwhelming number of regulatory bodies involved on both the federal and state level, observing it has led to overly-complicated and confusing requirements and laws. Given that technology is outpacing the laws and regulations, the task force laments that there are a number of laws and regulations that “impose a substantial legal and technical burden on health care organizations, without having a material impact on reducing risks.” The Report offers a laundry list of uniform recommendations, guidelines and practices aimed to streamline the compliance process, reduce risk, while encouraging technological innovation, research and development and sharing information. 

Highlights of the task force’s recommendations include the following:

  • All health care entities should follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework, but customized to address the complexity of patient data.
  • There should be a single cybersecurity leader to govern the privacy concerns for medical information within HHS. The Report identifies six different agencies jockeying for control, noting that within the HHS, the Office for Civil Rights (OCR), CMS, the Food and Drug Administration (FDA), the Office of the National Coordinator (ONC), and the Office of the Assistant Secretary for Preparedness and Response (ASPR) play important and diverse roles in cybersecurity. Other administrative agencies and independent commissions such as the Federal Trade Commission (FTC), which also plays a role in setting expectations for privacy and security of health information. The burden on healthcare entities is compounded by the panoply of state laws that vary in definitions, scope, standards and expectations. The Taskforce noted that there were state laws governing : (1) unauthorized access, malware, and viruses (all 50 states), (2) denial of service attack laws (25 states); (3) Ransomware laws in two states, with another four states currently under consideration; (4) Spyware laws (20 states); and (5) Phishing laws (in 23 states). 
  • Scalable best practices should be created, which impose different expectations, obligations and policies depending on the size of the health care entity. 
  • Congress should create an exception, under the Stark Law and Anti-Kickback Statutes, to encourage hospitals to share resources and provide financial assistance with doctors and clinics related to cybersecurity systems. 
  • Health care entities should focus on increasing the security of medical devices and health IT, and legacy EHR systems. They suggested either imposing requirements or financial incentives to share software and systems to ensure a more robust and secure system overall for secure and safe patient data transmissions. 
  • Implement a multi-step authentication and training requirements for clinicians accessing the systems. 
  • The Report also discusses a series of specific recommendations regarding appointing a lead IT representative, conducting annual audits and sharing information related to better security measures, Big Data Analytics, and research and development. 

For more information regarding the Health Care Industry Cybersecurity Task Force or health care privacy, please contact the author of this blog or Polsinelli’s Privacy and Data Security team.