The 2016 Omnibus spending package, signed into law by President Obama, includes language seeking to improve information sharing about and protection against cyber threats. Professional associations have responded with their support, particularly for the industry-specific approach.

“The Cybersecurity Act of 2015, particularly Section 405, recognizes that the healthcare industry faces unique challenges in safeguarding patient information,” said CHIME Board of Trustrees Chair Charles E. Christian, CHCIO, LCHIME, FCHIME. “We believe that the act will not only improve information sharing among key stakeholders, but also help healthcare providers understand and adopt best practices.

The law includes a provision requiring the Department of Health and Human Services to convene a task force that will analyze how other industries are addressing cybersecurity. “The task force will also be charged with assessing barriers that our organizations face in protecting against cyberattacks.” Christian also noted the act’s $31.5 million to enable the National Institutes of Standards and Technology to establish the National Cybersecurity Center of Excellence. The law will lead to the creation of industry-led guidelines and best practices. Importantly, it extends liability protections to organizations that voluntary engage in information sharing, he said.

“Healthcare chief information officers and chief information and security officers are tasked with the daunting job of protecting patient information in a highly digital environment. Threats are evolving and there's no respite on the horizon. The Cybersecurity Act of 2015 will allow CIOs and CISOs to share threat indicators and suspected vulnerabilities through a secure national information-sharing infrastructure with the necessary liability protections in place and will not risk patient trust. As an important piece of the nation's critical infrastructure, it is vital that healthcare organizations have the tools and information  they need to identify and more effectively defend against growing cyber threats.”

The Health Information Trust Alliance (HITRUST) issued a statement offering its support of the act. HITRUST supports the bill because “it formalizes the process for information sharing, encouraging private entities to share amongst themselves and with the government. The act provides legal certainty that companies sharing information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time, as well as when taking actions to mitigate cyberattacks.”

HITRUST noted the act’s direction on evaluating how to most effectively disseminate cyber threat information from the government to industry. “As an official Information Sharing and Analysis Organization (ISAO), HITRUST operates the healthcare sector’s most active cyber threat exchange, the HITRUST CTX. HITRUST also coordinates heath industry’s most widely engaged cyber preparedness and response exercises through its CyberRX program and provides other programs including monthly industry cyber threat briefings.”

HITRUST noted its support for “a health industry-specific cybersecurity approach as well as associated guidance and best practices, leveraging industry standards that are developed through a public and private consensus-driven process. This recognition reinforces the significance of efforts already underway by HITRUST in coordination with the Healthcare and Public Health (HPH) Government and Private Sector Partnership for Critical Infrastructure Security and Resilience (CISR) to develop an industry-specific framework and guidance.

Although industry is making improvements in cyber readiness and response, by singling out the healthcare industry, the act sends a clear message that law makers are concerned with the pace of this progress.”