Healthcare Cybersecurity Addressed in Omnibus Bill
New cybersecurity provisions specifically for the healthcare industry have been added to the Omnibus bill passed by congress late last week. The aim of their inclusion is to assist healthcare organizations tackle the growing risk of cyberattacks, and provide them with the information and guidance necessary to let them to shore up their defenses, plug security gaps and make them less pregnable to cyberattacks. The new legislation is part of the Cybersecurity Information Sharing Act, passed by Congress on Friday.
One of the ways that the new legislation will help healthcare organizations is with the formation of a new Cybersecurity Task Force. This is scheduled to take place during the first 90 days following the introduction of the new legislation. The purpose of the task force is to assess the current cyber threats faced by the healthcare industry. The methods used by cybercriminals to break through security defenses will be analyzed and vulnerabilities assessed. The task force will also study how other industries are managing to repel attacks. Healthcare organizations will then be advised on the best actions to take to improve their defenses.
The data held by healthcare providers and insurers is extremely valuable to cybercriminals, much more so than credit card numbers. Consequently, hackers have been targeting healthcare organizations with increased frequency and vigor in recent years. Ever more sophisticated methods of attack are being developed and the industry has been struggling to cope with the onslaught. Budgetary constraints have also made it difficult for healthcare organizations to implement appropriate defenses to deal with the rapidly changing threat landscape.
One of the main problems faced by small to medium-sized healthcare organizations is how to gain access to vital cybersecurity intelligence in real-time. Such information must be made available to healthcare organizations if cybersecurity threats are to be effectively tackled, which means that information must be made available without cost.
At present, only large healthcare organizations with deep pockets are able to gain access to this information. Smaller healthcare providers simply do not have the funds available to gather the necessary intel.
The Healthcare Information Management Systems Society (HIMSS) has played an important role in getting these new provisions introduced into the legislation. HIMSS has long called for additional support to be provided to the healthcare industry by the government to help organizations deal with new cybersecurity threats. Numerous conversations have taken place between HIMSS and the Committee of Health, Education, Labor and Pensions. A number of recommendations made by HIMSS are now due to be implemented.
The Department of Health and Human Services will also be required to work more closely with the Department of Homeland Security, and along with assistance from NIST, will develop a new set of cybersecurity standards and best practices for healthcare organizations to adopt. New guidelines are to be produced which will allow healthcare organizations to create policies to combat the current risk of cyberattacks and safeguard the Protected Health Information of patients more effectively.