The much anticipated executive order titled “Improving Critical Infrastructure Cybersecurity” was recently unveiled by the White House. As much praise as the President’s order garnered, there are still many unknowns about how the order impacts not just healthcare but all major industries in the United States. In the era of HIPAA, HITECH, SOX and another dozen regulatory security compliance acronyms how should the order be regarded? Potential, nothing more.
To understand what the executive order means and doesn’t mean we have to break it down into its two primary components: information sharing and security framework. Of these two the information-sharing piece is the one that could yield real benefit in the present. This section requires the federal government to report cyber security threats to private industry in a timely manner, if these threats are labeled as unclassified. The value of this kind of knowledge to a company in the crosshairs is enormous. However, the classification is a big IF so don’t expect your friendly neighborhood federal agent to routinely call you every time there is a threat on the horizon.
The meat-and-potatoes of the order is the government requirement for The National Institute of Standards and Technology (NIST) to work with industry leaders on development of a common cybersecurity framework. The spirit and intent is applauded but really this is too little too late.
The healthcare and financial industries in the United States have arguably taken a more forward-looking stance on cybersecurity in recent years due to the inherent steep risks of operating with such highly sensitive and valuable data. The security controls outlined within SOX, GLBA, PCI and FFIEC already provide financial institutions with a commonly accepted, albeit overlapping, set of general practices for security controls. HIPAA, the much-delayed Omnibus Rule and the increasing number of state laws provide the same guidelines for healthcare, despite the vagueness of certain elements. If the intent of any new collaborative framework with NIST was a condensation and uniformity of multiple rule sets then we should welcome it with open arm… however there is no indication of that being the case.
An additional anticipated effect of any new adopted framework is an increase in the insurance and liability requirements of business associates. The HIPAA Omnibus Rule already extends the civil liabilities of vendors for PHI-related breaches. However, any new government-sponsored framework may have a trickle-down effect to the insurance industry, resulting in healthcare business associates strengthening their own security practices in order to minimize increased insurance costs related to coverage for security events. The result being – in theory – that the larger healthcare entities should no longer have to be the only ones playing the “bad cop”? for enforcement of stringent security and contractual requirements upon business associates. Any way you look at it, there will be an increase in insurance costs for all parties involved and that money will have to be taken away from something else.
Issuing an executive order and talking about a government-adopted framework is not protecting a single patient record right now. Breaches happen and will continue to occur due to the constant change in technology, sophistication of attacks and inconsistent security training and implementation. That being said, the experience and expertise of executives, officers and consultants that are part of this industry are a voice that must be heard be included in the development process. Whether or not there is anything of substance that results from the NIST collaboration, those of us on the forefront of security should raise our hands and speak our piece. In other words, talk through the process but recognize it’s only talk and not an active protection mechanism for your organization’s data.