At the State of the Union address earlier this year, President Obama announced a cybersecurity executive order, Improving Critical Infrastructure Cybersecurity, in the wake of failed efforts to pass cybersecurity legislation in 2012. If it hasn't already been assumed to be a part of it, healthcare may soon be pulled into it, creating a new layer of compliance mandates and, possibly, grant funding to ease capital investments needed to comply, said speakers at the PHI Protection Network's recent forum in Cambridge, Mass.
The executive order basically has the government getting its house in order; there are no regulations that have come out from it [yet].
Josh Magri, ISA
In a nutshell, the order began by assigning the National Institute of Standards and Technology (NIST) the development of a cybersecurity framework, which involves working with leaders of various industries to develop common digital information security risk assessments and best practices. The key phrase for healthcare CIOs and compliance leaders to watch is "critical infrastructure," Josh Magri, associate vice president of the Internet Security Alliance (ISA), told SearchHealthIT.
Magri pointed out that the executive order (in Section 2) does not specifically name hospitals and other healthcare providers when it declares that "critical infrastructure" systems or assets that, if taken offline, would have a "debilitating impact on … public health or safety." But as federal agencies such as the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS) sit down with NIST to develop the framework, they could easily declare healthcare providers subject to the order.
In discussions with the DHS, Magri said it's likely healthcare providers "can look forward to more regulations coming down the line." But incentives to adopt the common cybersecurity framework could very well be in the offing, too.
"The executive order basically has the government getting its house in order; there are no regulations that have come out from it [yet]," Magri said, adding that he encourages healthcare CIOs to adopt cybersecurity best practices as outlined in the SANS 20 and the Verizon Data Breach Investigations Report, not only in order to protect their patients and network infrastructure, but also to be in an early position for incentives.
Health IT leaders can help steer the process
Magri also encourages healthcare IT leaders to get involved in discussions with government officials developing the plan. Hospital leaders can potentially help steer the terms of the regulations as well as the incentive program parameters if they get involved now, suggesting they might possibly lower eventual compliance burdens.
"The timelines on the executive order for deliverables -- such as incentives, such as identification [of who falls under critical infrastructure] -- are all within 120 days or 150 days" from Feb. 14 when Obama issued the order, Magri said. "You really have got to get going."
He added that deliverables will have to be completed 30 days prior to those deadlines, so the corresponding agencies in charge of them (HHS, DHS, NIST) have time to review the documents and sign off.
In a presentation at the conference, compliance expert and Santa Fe Group CEO Catherine Allen said she believes hospitals, ambulance services and medical communities already fall under the executive order.
"It will mean increased costs; it will mean increased regulatory oversight in some form, and I think within the next year we'll see most of the new rules coming out," Allen said.