The hotly contested Cybersecurity Information Sharing Act of 2015 (CISA) was signed into law December 18, 2015 as part of the 2016 omnibus spending package.
At its core, the intent of CISA is to encourage businesses—with healthcare among the most targeted sectors—and the federal government to share cyberthreat information with the aim of improving data security.
Samantha Burch, Senior Director, Congressional Affairs at HIMSS, says with CIOs reporting cyber security as a constant challenge, improved tools and information to combat threats could be game-changing in health IT.
She highlights two primary points about the legislation:
- It is not foremost about collecting data from healthcare entities, but about providing an information flow from the government to healthcare entities.
- Any action on the part of healthcare entities is voluntary.
She notes what passed was a piece of legislation based on the Senate’s CISA bill and two House cybersecurity information sharing bills that had passed.
“It certainly resembled the Senate CISA bill in many ways but also had components of the House bills as well,” she says.
Overall, the bill sets up the infrastructure for what cyberthreat information sharing would look like between the government and the private sector, Burch says.
More specifically, there is a section of the bill that deals directly with healthcare, which originated as a bipartisan amendment to CISA by Senate health committee Chairman Lamar Alexander and ranking member Patty Murray.
Burch describes it as containing three overall components:
- The first primarily deals with HHS internally, requiring the identification of a point person and the development of a plan from each division on its responsibilities and efforts to address cyberthreats in healthcare.
- The second requires the establishment of an industry task force by HHS that would look at challenges and barriers specific to the sector, as well as lessons learned from other sectors. It would also develop a plan to ensure there is a single pipeline of actionable, real-time threat data available at no cost to all healthcare organizations.
- The third calls for HHS, in collaboration with NIST, DHS and the industry, to identify a set of voluntary, consensus-based guidelines, best practices and methodologies to help healthcare organizations better address cyberthreats.
“The bill overall is setting up an infrastructure for voluntary cyberthreat information sharing. It is not required,” Burch says.
As for why there is backlash against the legislation—most notably from tech firms and civil liberties groups—Burch suggests it comes down to concerns about privacy, but she doesn’t see negative industry impacts.
“There are sensitivities to bills that could be construed as surveillance bills and some have painted this to be that,” she says. “Our belief is that it’s not, and that it’s an appropriate role for government to set up this infrastructure, in a voluntary way so that organizations have access to cyberthreat data and also to encourage better information sharing within the government.”
Given the dynamic and growing nature of cyberthreats, however, which can include state-sponsored attacks and organized crime, Burch agrees there’s no silver bullet. “But I think it’s an important first step in ensuring tools and resources are available to the sector,” she says.
However, as reported by Wired, much of the concern from privacy advocates is around whether CISA will be truly voluntary, or whether participation will become tied to incentives that in actuality leave little choice.
Burch says she has a high level of confidence that the development of these tools, resources and plans will include significant stakeholder input. There has been an underlying theme that the industry has a voice, she says.
Activity can be expected to move quickly this year, with a first step being the taskforce creation.
At the same time, Congress remains very interested in cybersecurity and what it can do to provide assistance to the healthcare sector, Burch adds.“We’ll continue to see focus on this,” she says. “This is certainly not the end of the road.”