Healthcare, a critical infrastructure sector in the United States, requires meaningful, secure e-exchange of health information to improve health, provide better care, and lower costs. Healthcare providers and organizations must be equipped to defend against growing cyber threats using a consistent and effectively-implemented data security framework.
HIMSS supports efforts in the House and Senate to advance information sharing legislation. H.R. 1560, the Protecting Cyber Networks Act (PCNA), and H.R. 1731, the National Cybersecurity Protection Advancement Act (NCPAA) of 2015 were passed by the House in April and S. 754, the Cybersecurity Information Sharing Act (CISA) of 2015 was passed by the Senate Select Committee on Intelligence in March and brought to the Senate floor to begin consideration in August. These bills are a positive step; but, given the unique characteristics of the healthcare sector, we encourage Congress to further explore policies to ensure the information is actionable, timely and accessible to all healthcare organizations.
Specifically, Congress should:
- Direct HHS to identify, through a collaborative process with the community stakeholders, academics, and the National Institute of Standards and Technology (NIST), a single, voluntary, national health-specific IT data security framework that:
- Includes a common set of security practices and standards that specifically pertain to a range of healthcare organizations;
- Supports voluntary adoption and implementation efforts to improve cybersecurity safeguards;
- Creates a more uniform technical landscape; and is,
- Consistently updated and applicable to the range of healthcare organizations.
- Create a single information sharing pipeline of actionable cyber threat intelligence from the government to the private sector in (near) real time, through a no-cost mechanism.
- Congress should direct a study on the most appropriate policies and procedures for Federal agencies to adopt and implement for transfer of cyber threat intelligence to the private sector such that the information may be shared in real time or near real time with healthcare organizations.
- The study should assess which Federal agency or other entity may be best suited to be the central conduit to facilitate the cyber threat intelligence information sharing.