ALERT: Health Care Cybersecurity Reform and Regulations on the Horizon
1 like•271 views
The White House has proposed new cybersecurity legislation that would significantly impact healthcare organizations. The proposals would grant the Department of Homeland Security primary authority over cybersecurity for critical infrastructure like healthcare. This would require healthcare providers to develop cybersecurity plans subject to DHS and third party audits. The proposals would also standardize national data breach notification and preempt state laws, expanding the definition of a breach. Additionally, new tools are proposed to aid law enforcement in cybercrime prosecution. Congress is currently considering these proposals and various bills on cybersecurity reform, so increased regulation of healthcare cybersecurity is imminent.
ALERT: Health Care Cybersecurity Reform and Regulations on the Horizon
- 1. July 26, 2011 Health Care Cybersecurity Reform and Regulations on the Horizon CYBERSECURITY AND HEALTH CARE CLIENT ALERT This Alert provides only Beyond HIPAA’s Moving Target: White House Releases Cybersecurity Blueprint general information and should not be relied upon as On May 12, 2011, the White House sent a long-awaited series of cybersecurity legislative legal advice. This alert may proposals to Congress articulating four main goals and objectives and focusing on the be considered attorney need to protect the American people, the nation’s critical infrastructure and the federal advertising under court and government’s networks. The proposals also stress the need to create new frameworks to bar rules in certain protect individuals’ privacy and civil liberties. The White House surprised many in the private sector by including privacy, data breach and data security issues in the jurisdictions. cybersecurity proposals. For more information, contact The Senate continues to work on their cybersecurity bill and Speaker Boehner recently your Patton Boggs LLP announced a “Task Force” to review these issues and draft policy recommendations to attorney or the authors listed submit to House leadership in the next few months. To date, congressional reaction to the below. White House proposal has been mixed, with some Senate Homeland Security Committee members offering support while others on the House Judiciary Committee voice serious Norma M. Krayem doubts. There are a host of issues that Congress has addressed that were not included in 202.457.5206 the White House draft including: specific presidential authority to declare a national [email protected] emergency in response to a serious cyber incident and to direct the private sector-owners Stephen P. Nash of critical infrastructure to take action; R&D programs; workforce training and awards 303.894.6173 programs; creation of a specific White House cybersecurity official; and broad application [email protected] of fair information practices. Todd Tuten 202.457.5215 Other bills continue to be introduced in this area, including the Secure and Fortify [email protected] Electronic Data (SAFE Data) Act recently introduced by Congresswoman Bono Mack (R- CA), which specifically excludes entities that are already subject to the HIPAA/HITECH Nick Allard rules but leaves open questions regarding consistency and coverage. 202.457.6465 [email protected] Key Components of White House Proposals Melodi M. Gates The White House has proposed specific legislative language that would: 303.894.6111 [email protected] • Grant the U.S. Department of Homeland Security (DHS) the ability to govern cybersecurity plans for all Critical Infrastructure (CI), including health care;1 • Require CI owners, including health care providers, to create cybersecurity WWW.PATTONBOGGS.COM plans that would be subject to oversight by DHS and third party auditors; • Mandate consistent data breach notification duties and preempt most current state data breach notice laws; • Provide improved tools for prosecuting cybercrime; • Prevent states from restricting most data center locations; • Centralize cybersecurity authority for federal systems within DHS; and 1 “Critical Infrastructure” is defined by DHS and includes 18 different sectors: (1) Agriculture and Food, (2) Commercial Faculties, (3) Dams, (4) Energy, (5) Information Technology, (6) Postal and Shipping, (7) Banking and Finance, (8) Communications, (9) Defense Industrial Base, (10) Government Facilities, (11) National Monuments and Icons, (12) Transportation Systems, (13) Chemical, (14) Critical Manufacturing, (15) Emergency Services, (16) Health Care and Public Health, (17) Nuclear Reactors, Materials and Waste , and (18) Water Systems.
- 2. • Reform the widely-criticized approach to ensuring adequate cybersecurity in federal systems under the Federal Information Security Management Act (FISMA). Impact on the Health Care Community Given the breadth of the issues included in the White House proposals, along with existing bills on which Congress is already working, it is clear that cybersecurity reform, regulations and enhanced reporting are on the immediate horizon. These changes will have a significant impact on the health care community, beyond the discrete updates likely to be forthcoming as HHS finalizes several pending HIPAA-related rulemaking projects. DHS Would be Granted Primary Cybersecurity Authority for Critical Infrastructure Under the White House proposals, DHS would have the ability to: designate entities, including health care organizations, as “covered critical infrastructure;” create “risk-based tiers” to further distinguish levels of risk; and maintain a list of covered critical infrastructure. The White House approach also would “obligate” CI providers to: develop and maintain cybersecurity plans; utilize DHS-certified third party auditors to evaluate their plans; and conduct an annual officer-level certification. While no provisions for civil or criminal penalties are included in the White House proposal, DHS would be granted authority to publish the names of non-compliant entities. The possible result: health care providers also designated as CI providers may risk losing market strength and credibility with their patients unless they implement and maintain strong DHS-approved cybersecurity plans in addition to their current HIPAA Security Rule compliance activities. The proposal also directs DHS to collaborate with sector-specific regulators, such as HHS, in developing cybersecurity requirements. The health sector already has a host of existing regulations, such as the HIPAA Security Rule, Meaningful Use standards and pending HITECH-related rule changes. However, the fact remains that the present HIPAA Security Rule lacks detailed standards and prescribed practices and a DHS review may create additional regulations once the legislation is passed in Congress. Data Breach Notification Proposals The White House proposes a national breach notification standard that would preempt the current landscape of differing state laws while exempting covered entities, business associates and PHR providers already subject to federal breach notification requirements under HITECH. Business entities that annually handle sensitive personally identifiable information (SPII) for more than 10,000 individuals would have to provide notice of any data breach to affected individuals. However, the current proposal is not clear on which rules would apply if an entity currently subject to the HITECH rules were to breach SPII that is not also Protected Health Information (PHI). In contrast to the HITECH regulations that apply a “harm threshold” to the definition of “breach,” the White House approach would only provide a limited notification exemption if an organization suffering a data breach performs a “risk assessment,” determines there is no reasonable risk of harm to the individuals whose SPII was compromised and reports its findings to the Federal Trade Commission (FTC) after the breach discovery. The White House recommendations have the potential to simplify breach notification requirements for covered entities, business associates and PHR providers now subject to both HITECH and state obligations. Further, because the HITECH regulations are currently interim final rules (IFRs), HHS and the FTC could choose to realign or otherwise rationalize and integrate these potentially differing approaches as the rules are finalized. By engaging in the rulemaking process, organizations can help to minimize any potential conflicts, especially for those that handle both PHI and SPII.
- 3. New Tools for Law Enforcement The proposal provides law enforcement with several new tools that encourage more victimized organizations to report cybercrimes and increase the potential for successful prosecution and deterrence, including: • Modifying the definition of racketeering under the Racketeering Influenced and Corrupt Organizations Act (RICO) to include cybercrimes; • Expanding the scope of prohibitions against trafficking in passwords and other means of access; • Streamlining penalty provisions; • Imposing mandatory, and increased, sentencing for those who commit cybercrimes that impact critical infrastructure; and • Exposing those who conspire or attempt to commit cybercrimes to the same potential punishment as those who commit a completed offense. Given the increased incidence of “hack attacks” across a variety of industries and government programs, health care providers, and especially those larger systems and health insurance providers, are potential targets and thus may benefit from improvements in law enforcement capabilities. Limits on Data Center Location Restrictions Finally, the White House has proposed that states be precluded from imposing restrictions on the location of data centers as a part of any state certification, licensure or other approval relating to business operations, except where they are limited to the operation of state facilities. Under this proposal, health care providers, especially those looking to streamline multistate operations, would thus be allowed to base their site decisions on business judgments, including cybersecurity and disaster preparedness, without undue state interference. What’s Next? Shortly after sending Congress its cybersecurity proposals, the White House also published what White House Cybersecurity Coordinator Howard Schmidt termed “the United States’ first comprehensive International Strategy for Cyberspace.” The strategy calls for a global Internet that is open, interoperable, secure and reliable and focuses on building and strengthening bilateral and multilateral relationships. By publishing the strategy on the heels of its legislative proposals, the White House clearly underscored its ongoing commitment to cybersecurity development both at home and abroad. Patton Boggs will continue to monitor these rapidly evolving proposals in the health care cybersecurity and privacy arena. Please let us know if you have any questions or would like to explore the potential challenges and opportunities these developments may bring to your organization. For more information regarding Patton Boggs’ Health Care, Homeland Security, Defense and Technology Transfer, and Privacy and Data Security practices, simply click on the hyperlinked text above or visit pattonboggs.com. This Alert provides only general information and should not be relied upon as legal advice. This alert may also be considered attorney advertising under court and bar rules in certain jurisdictions. WASHINGTON DC | NORTHERN VIRGINIA | NEW JERSEY | NEW YORK | DALLAS | DENVER | ANCHORAGE | DOHA, QATAR | ABU DHABI, U.A.E