CISA headed for Senate vote despite criticism

The Cybersecurity Information Sharing Act (CISA) has cleared numerous hurdles but faces more before it becomes a law that secures private data networks against malicious hackers.

Sponsored by Richard Burr (R-N.C.), chairman of the Senate Select Committee on Intelligence (SSCI), and Dianne Feinstein (D-Calif.), the committee’s ranking Democrat, CISA offers incentives for companies to share early “cyberthreat indicators” with the Department of Homeland Security. 

For example, hospitals and health systems would get liability protections when they share cyberthreat data with the government.

But, some privacy advocates and technology companies have said the bill would do little to strengthen cybersecurity and protect individuals' personal information. Some say the bill offers a solution to a problem that doesn’t exist and is a major threat to U.S. citizens’ privacy rights.

Sharing these data could open organizations up to legal action should they inadvertently share personal data.

CISA "contains critical provisions that would move the entire healthcare community forward in addressing the many challenges of an increasingly complex health IT cybersecurity landscape," noting that the provisions "would create the infrastructure and support required by health care ... to better identify cyberthreats," said Lisa Gallagher, HIMSS vice president of technology solutions.

The "Senate needs to send the president a good cyber bill this year," wrote Ann Beauchesne, senior vice president for national security and emergency preparedness at the U.S. Chamber of Commerce, in an opinion piece on The Hill's "Congress Blog.” Noting the costs associated with cyberattacks, Beauchesne said CISA “is a step in the right direction.”

Critics, however, cite the Department of Homeland Security’s existing cyberthreat alert system, compiled by the department’s Computer Emergency Readiness Team (DHS-CERT). It monitors public and private network threats and provides daily updates to anyone who wants to subscribe. That system hasn't been deemed a success or a failure so why replace it?

The proposed law puts DHS in charge of the new data collection powers but what will and can happen to the data also is under question. CISA gives Homeland Security the power to share data with "any federal agency or department, component, officer, employee, or agent of the federal government." That could include law enforcement bodies like the FBI and ATF, intelligence agencies like the CIA and NSA, or private contractors hired by federal agencies.

The bill instructs the government to protect the confidentiality of personal data “to the greatest extent practicable,” but exactly what is "practicable" won't be determined until after CISA becomes law and government agencies begin drafting specific guidelines.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.