Dive Brief:
- The Cybersecurity Information Sharing Act (CISA) was passed by the Senate in a 74-to-21 vote. The House passed a similar bill, the Cyber Intelligence Sharing and Protection Act (H.R. 3523) in 2013, but it stalled in the Senate.
- The bill would give hospitals and health systems liability protection when sharing cyber threat data with the government in efforts to improve detection, mitigation, and response to such threats.
- The bill contains several key healthcare provisions, according to an article in iHealthBeat. It would require HHS to appoint an official to coordinate health cybersecurity efforts, request a report from HHS on emerging healthcare cyber threats, request HHS to create best practices on how health industry leaders can voluntarily follow data security measures, and create a task force of health industry leaders and cybersecurity experts to identify challenges and solutions for cybersecurity, and create a central, federal resource on cyber intelligence for rapid responses to active threats.
Dive Insight:
Many privacy advocates argued the bill would not protect individuals' personal information. Several amendments were added to the bill to address these concerns, which may have helped gain Democratic support by key leaders such as Sen. Tom Carper (D-DE), the ranking member of the Senate Homeland Security and Government Affairs Committee, according to The Hill. An amendment package was agreed to be considered by the Senate this summer and included some provisions to limit data companies from sharing with the government and create a filter at the Department of Homeland Security to "scrub" personal information before sharing data with the government and prevent "controversial" uses of the data by the government.
However, the Senate voted last week to end debate on the amendment package to the bill.
Although healthcare organizations, like the College of Healthcare Information Management Executives (CHIME) and Healthcare Information & Management Systems Society (HIMSS), are strong proponents of the bill, many civil liberties groups, and tech companies like Apple and Twitter, remain opposed to it, according to Healthcare IT News. Several amendments to address privacy concerns, as mentioned above, failed to pass the Senate. However, many health IT groups say the legislation will enable the government to help private sector organizations secure their information by providing more insight into cyber threats.
Big healthcare data breaches have become an unwelcome trend in the industry and the reason Sen. Charles Schumer (D-NY) urged Congress to bring the bill to the floor for a vote last month. As reported by Healthcare Dive, Sen. Schumer cited the Excellus BlueCross BlueShield breach that was not discovered for 19 months and affected 10 million people.
Yet, opponents say the bill uses "overly broad, ill-defined language," and "aims to sidestep search warrants and other pesky due process limitations on government by giving technology companies a motive to 'share' what it calls 'cyber-threat indicators' to the Department of Homeland Security," as reported in The Slate.
The bill will still need to be reconciled with the House bill (CISPA) that passed in 2013.