HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Obamas Cybersecurity Plan Could Preempt HIPAA

This week President Obama announced a number of new initiatives aimed and improving cybersecurity to better protect consumers. 2014 was a year that saw hackers successfully gain access to the computer systems of retailers, corporations, healthcare providers, educational institutions and even the Pentagons Twitter account was successfully hacked. Cybercriminals were able to steal and expose personal and corporate data, commit identity fraud, obtain Medicare and Medicaid services and make fraudulent insurance claims, and the threats remain for those individuals affected.

The volume of electronic personal data now being stored means security breaches can easily affect many millions of individuals. Last year U.S. companies – and many healthcare organizations – were targeted by criminals and highly complex attacks exposed financial and personal consumer data on a grand scale.

Home Depot hackers stole the credit card information and personal data of 56 million Americans. Hackers were able to obtain 40 million credit card numbers from Target as well as the personal information of some 70 million individuals. Community Health Systems was hacked and 4.5 million patient records were exposed. Breaches in healthcare from lost or stolen electronic devices appear small in comparison to these major breaches, but have been responsible for exposing the protected data of many millions of Americans.

An Elevated Cybersecurity Risk Calls for Tougher Legislation

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The cybersecurity threat level is at an all time high and the government is responding with tougher legislation. In a speech given by Obama on Tuesday he highlighted the scale of the problems, which he is also planning on discussing at the State of the Union address next week. “One of the things we’re going to be talking about is cybersecurity. With the Sony attack that took place, with the Twitter account that was hacked by Islamist jihadist sympathizers yesterday, it just goes to show much more work we need to do, both public and private sector, to strengthen our cybersecurity.”

In a speech delivered at the Federal Trade Commission on Monday, Obama announced that he is planning to increase data security measures to protect student data and safeguard America’s financial health. Measures to improve protection of student data include the introduction of the Student Digital Privacy Act, which will limit the use of student data to educational purposes. The new legislation will prevent companies selling student data to third parties or using the information for targeted advertising campaigns; although this legislation is yet to be passed by the senate.

If passed, the new legislation – modeled on the law introduced in California – will take effect in January 2016. To date 75 educational organizations and companies have made a pledge to protect the data of both students and staff, and have shown support of the new drive to improve data privacy in education.

Breach Notifications to be Sent to Consumers within 30 Days

Obama also announced new initiatives to improve cybersecurity for all Americans, allowing rapid action to be taken by both the government and victims of breaches to mitigate any damage caused. One such initiative is the introduction of the Personal Data Notification & Protection Act, which will require all consumers affected by security breaches – that potentially disclosure their personal information – to be notified within 30 days of the breach.

The proposed changes will need to go before the senate for approval; however Obama has announced that the scope of the new laws is bipartisan and for the benefit of all Americans. In his words, the proposed change “transcends politics, it transcends ideologies – liberal, conservative, Democrat, Republican. Everyone is online.” The feeling from the Republican camp appears to be positive.

Will the New Cybersecurity Measures Preempt HIPAA?

Obama did not specifically refer to healthcare cybersecurity; however the proposed legislation requires notifications to be sent to consumers within 30 days of a breach. Under HIPAA breach notification rules, covered entities and their business associates are allowed up to 60 days from the date a security breach is discovered to send notification letters to the affected individuals.

It would not make sense for data breaches affecting healthcare providers to be treated differently to breaches at retailers; hackers are targeting both for financial and personal information. It appears likely that the new legislation will require HIPAA to be amended, or at least will preempt it, and healthcare providers and their business associates being forced to conduct their investigations more rapidly in order to be able to meet the new timescales.

Organizations Given Immunity for Sharing Protected Data

The new legislation criminalizes the sale of student data, the sale of stolen US financial information overseas and federal laws will also be expanded to target spyware vendors and identity thieves. It would become illegal to sell botnets; one of the main ways hackers are able to cripple web services and other more stringent measures are to be introduced to discourage individuals from criminal activities and actions which could threaten cybersecurity in the U.S.

In a speech given at the National Cybersecurity and Communications Integration Center on January 13, Obama announced his hopes of getting the private sector to participate in a program of information sharing. In the new legislation he plans to offer a degree of liability protection which will allow organizations to share data with the Department of Homeland Security, without fear of breaching data privacy and security laws.

Privacy Groups Express Concern

Some of the initiatives have come under criticism for their broad nature, in particular, privacy groups have expressed concern about the volume of data that could potentially be handed over to Homeland Security and shared, in “near real time”, with government agencies which could include the Pentagon, the NSA and the FBI. Electronic Frontier Foundation being one of the organizations to speak out about the proposed changes.

The sharing of information could ensure even greater cybersecurity protection and could allow threats to be neutralized much more quickly. The volume of information gathered would also help law enforcement greatly in the fight against cyber crime.

However, it is important that any data shared is limited to that which will have the desired effect and should not include personal identifiers and other information. The data which Homeland Security would be provided is likely to be restricted to IP addresses and routing information, rather than personal or protected consumer information.

Brian Evans, senior managing consultant at IBM Security Services, told HealthDataManagement.com “It is broadly written but does provide an exception to existing law designed to protect any shared personally identifiable information and would make healthcare organizations immune from both civil and criminal liability for any action as long as it was in good faith.”

He went on to say, “After being involved with hundreds of security incidents, I have never seen an instance where personally identifiable information had to be shared in order to combat cybersecurity threats… healthcare organizations do not need to share nor should they share any PII with the government in support of this collaboration unless there is some extenuating circumstance.”

Free Credit Scores for Consumers

One measure certain to be introduced – as it does not require approval from congress – is the provision of free credit scores by financial institutions as part of a new partnership with congress. A number of financial institutions have already signed up including JP Morgan, USAA and Bank of America.

Obama believes it to be important for individuals to keep close track of their finances and monitor their credit for signs of fraud. No individual should be prevented from doing due to not being able to afford to pay to get their credit score. The change will ensure that in the event of a breach, individuals will be able to quickly identify themselves as victims, report the crime and take action to mitigate any damage caused.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.