Lance Bellers - Fotolia

Appropriations act to spawn healthcare cybersecurity group

The Department of Health and Human Services is in charge of assembling a healthcare cybersecurity group, which will evaluate other industries and apply their lessons to healthcare.

Healthcare providers will soon receive some official recommendations on how to protect themselves and their data from cyberattacks. President Barack Obama recently signed the Consolidated Appropriations Act, 2016 into law. Included within that document is the Cybersecurity Act of 2015 which promises to precipitate the invention of a healthcare cybersecurity task force that will provide healthcare entities with security recommendations and best practices. No new mandates for physicians exist in the current bill. Rather, its intent is to examine and reform the present state of healthcare cybersecurity.

The act designates the U.S. Department of Human and Health Services (HHS) as the leader against cybersecurity threats. The first step in the bill is the creation of a task force. The team will be set up by the secretary of HHS, Sylvia Mathews Burwell, with help from National Institute of Standards and Technology and the secretary of the U.S. Department of Homeland Security and it will include healthcare professionals and cybersecurity experts. This task force must be established within 60 days after the act's enactment.

The task force will start by assessing cybersecurity and data safeguards used in other industries, such as banking and retail. Those businesses have been past targets of repeated cyberattacks and have continued to enhance their protections and capabilities. As a result of their security experience, those industries have likely developed a common set of security best practices.

In addition, the healthcare cybersecurity task force will evaluate the different data protection challenges facing healthcare entities. In doing that, the task force will investigate whether physicians and other healthcare professionals are unable to invest in and implement sufficient security measures. Some of the barriers that could be preventing this are a lack of affordable products, unsatisfactory security education or an absence of proper security standards.

The healthcare cybersecurity task force will be active for one year. After the task force completes its data analysis and compiles it in a report, it will hand its findings over to the HHS secretary. The secretary will then be responsible for delivering that information to healthcare organizations to help them reduce their cybersecurity risks. Subsequently, medical practices and other healthcare entities can voluntarily adopt some or all the recommendations established by the task force.

The new act will serve as a centralized security resource, designed for healthcare entities. In the interim, providers will still need to rely on their IT departments and third-party vendors to help keep them protected and ensure they are compliant with HIPAA regulations. Despite the creation of the task force and its goal of establishing security guidance, the bill clearly outlines that it does not allow HHS the authority to audit, enforce or require healthcare organizations to adopt any of the recommendations.

Next Steps

The FDA and others are trying to help security keep pace with innovation

Health IT group asks Congress for help with interoperability, security goals

HHS Office for Civil Rights issues reminder about HIPAA enforcement

Dig Deeper on Electronic medical records security and data loss prevention