HSCC Recommends Consultation Process on Healthcare Cybersecurity Improvements
The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has urged the Trump administration to initiate a series of structured consultations and workshops with healthcare industry stakeholders to obtain consensus on a modernized healthcare cybersecurity policy, rather than implement the proposed changes to the HIPAA Security Rule.
In January this year, the HHS’ Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) in the Federal Register outlining changes to the HIPAA Security Rule to improve healthcare cybersecurity. The NPRM ran to almost 400 pages and significantly expanded the cybersecurity requirements for HIPAA-regulated entities, including annual HIPAA Security Rule compliance audits, a comprehensive network map and asset inventory, a plan to restore critical systems within 72 hours, and verification that business associates have implemented the necessary technical safeguards.
The comment period for the NPRM recently closed, and Tim Noonan, OCR’s Deputy Director for Health Information Privacy, Data, and Cybersecurity, confirmed that 4,745 comments have been received and OCR is currently reviewing the feedback. The HHS has estimated that the cost of compliance will be around $9 billion in the first year and an estimated $6 billion a year for the next four years.
Several industry groups including the College of Healthcare Information Management Executives (CHIME), the American Health Care Association, and the Medical Group Management Association criticized the proposed HIPAA Security Rule update due to the challenges that regulated entities will face implementing the new requirements and the high cost of compliance, calling for the Trump administration to rescind the NPRM.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HSCC issued a statement confirming those views are shared, claiming the proposed update to the HIPAA Security Rule is not practicable, compliance will be complex and costly, and even if compliance is achieved, the proposed measures may not be effective at improving security. HSCC said many of the 52 CWG member industry associations have submitted feedback in response to the proposed rule to that effect. The HSCC CWG has urged the Trump administration to suspend any further consideration of the NPRM and initiate a year-long consultation process with the HSCC CWG and owners and operators of national critical healthcare infrastructure to reach a consensus on the best policies for improving healthcare cybersecurity, resiliency, and accountability.
Greg Garcia, Executive Director of HSCC, explained that the CWG is a long standing and respected partner to the government and has led initiatives that have measurably improved cyber defenses and resiliency to protect patient safety. CWG played a key role in the development of the Health Industry Cybersecurity Practices (HICP) and has produced cybersecurity best practices for medical device security, supply chain cybersecurity, incident response, workforce development, and HICP was included in the recognized security practices that are considered by OCR when assessing regulatory penalties following a data breach.
The HSCC-405(d) partnership also jointly developed the Hospital Cybersecurity Landscape Analysis, which identified the most prevalent threats and vulnerabilities exploited in cyberattacks on the Healthcare sector, along with the controls that would most effectively address them, leading to the development of the HPH Cybersecurity Performance Goals and HSCC Prioritized Recognized Cybersecurity Practices.
“As HICP, the HPH Cyber Performance Goals and other leading practices developed by the CWG were designed to map in various degrees to the NIST CSF, we propose that the HSCC Cybersecurity Working Group and other leaders in the industry convene with government to design a healthcare-specific policy, programmatic and regulatory framework that maps to CSF for all interconnected owners/operators and their supporting infrastructure in the healthcare ecosystem,” explained Garcia. “The framework would be informed in part by the methodologies and findings of the Hospital Landscape Analysis and the HSCC Prioritized Recognized Cybersecurity Practices.”
Garcia also suggested that any technology or service provider that interacts with the healthcare industry should be held to higher standards of cybersecurity, and the framework should also be applied to technology and service providers that are currently unregulated. Garcia explained that healthcare organziations understand that cyber health and patient care would be better served with higher levels of accountability and enforcement on the principle that cyber safety is patient safety, even if that comes at an increased cost; however, “Any enhanced regulatory requirements must also be promulgated with thoughtful assessment of their operational feasibility and security effectiveness, and with appropriate backstops for those on the razor’s edge of clinical resiliency and financial solvency,” Garcia said. “If we can negotiate a rational regime for accountability, as a rising tide lifts all boats rather than a breaking wave capsizing them, we will jointly succeed.”
