On Friday, December 18, 2015 Congress approved a $1.8 trillion spending and tax bill. The bill is entitled the referred to as the “Consolidated Appropriations Act 2016.” (CAA)1 more commonly referred to as the “Omnibus Spending Bill.”
The Act was extensive and received considerable press coverage with strong commentary for and against items included. One of the areas that did not receive much public attention was the inclusion in the CAA of the “Cybersecurity Information Sharing Act” (CISA) related to cybersecurity and the healthcare industry.2 Part of the reason for addressing cybersecurity in this bill is the difficulty in guarding against the increasing attacks on protected health information (PHI).
According to numerous studies, medical data breaches, a large number of which are criminal, are increasing at a rapid rate.3 The value of a patient’s medical information according to IT experts “… is worth 10 times more than [a] credit card number on the black market.”4 Given limited resources in many cases, the ability of healthcare providers to defend protected health information is less than adequate. In one report, half “…of all healthcare organizations, both Covered Entities (CEs) and BAs, have little or no confidence that they have the ability to detect all patient data loss or theft.”5
From the time of the very earliest Privacy Rule (published December 28, 2000 with required compliance by April 14, 20036 through the Omnibus Final Rule (published January 17, 2013 with compliance required by September 23, 2013), there has been a requirement under the HIPAA privacy and security regulations to protect individually identifiable health information that qualifies as protected health information (PHI).7 The Office for Civil Rights (OCR) has repeatedly made this requirement clear in the situation of violations with Resolution Agreements (RA) and Corrective Action Plans (CAP). In one large $800,000 settlement, the following statement was made: “As a covered entity under the HIPAA Privacy Rule” the CE “must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.”8
In the CAA, funds for cybersecurity are to be made available to a number of areas including the IRS and Homeland Security.9 However, current attention to its application in the medical arena is in the form of the Act within an Act mentioned earlier, i.e. the CISA.10 Title I of the CISA is entitled “Cybersecurity Information Sharing” and discusses cybersecurity threats and security measures.11 There is a directive in Title I that “…the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of the appropriate Federal entities, shall jointly develop and issue procedures to facilitate and promote…” the timely sharing of threat indicators and defensive measures.12 Specifically, for healthcare a “Healthcare Industry Cybersecurity Task Force” will be established.13 This Cybersecurity Task Force will “…access current cyber threats faced by the healthcare industry.”14 The intent is the review of threats specific to healthcare, methods used by those attempting to obtain PHI, defensive methods used in other industries and to provide advice to healthcare providers.15
Help May Be On The Way
In spite of complaints about the expenditures of the CAA, it should be welcome news that some attention is being given to this medical information security problem. We obviously have yet to see the finalization in 2016 of the CSISA and any “Task Force” recommendations, but the results may be helpful. In the meantime all medical providers should give serious consideration to these increasing attacks on patient PHI and check their HIPAA policies, procedures, and training methods for compliance.
To read the footnotes for this article, click here.