The council calls for a one-year consultation with federal officials to align cybersecurity goals with healthcare delivery realities.
The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group recommended in a policy statement that the Trump Administration initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that all healthcare stakeholders can be held accountable to.
As an alternative to the HIPAA Security Rule notice of proposed rulemaking published in December, the HSCC Cybersecurity Working Group says that this “collaborative process would align with the administration’s pledge to ‘Make America Healthy Again’ on the imperative that cyber safety is patient safety” and build on healthcare cybersecurity practices developed by the industry over the last seven years.
[Related: HIMSS Warns Proposed HIPPA Security Rule May Create Undue Burden for Small Practices]
Such a process has precedent in Executive Order 13636 that directed the National Institute of Standards and Technology to convene critical infrastructure owners and operators to develop the “NIST Cybersecurity Framework (CSF).” The CSF has become a widely adopted reference for enterprise cybersecurity risk management across government and industry, an example of good policy operationalized.
The Cybersecurity Working Group proposes that a similar process be used to negotiate a Healthcare Cybersecurity Framework drawing from the comprehensive library of resources published by the sector for the sector, health sector recommendations for government cybersecurity policy and programs, and its five-year Healthcare Industry Cybersecurity Strategic Plan.
Call for Collaborative Framework
In testimony before the House Energy and Commerce Subcommittee on Oversight and Investigations, HSCC Cybersecurity Working Group executive director Greg Garcia said, “The healthcare industry is now targeted by more cyber attacks than any other industry sector. If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission.”
Garcia added that “a successful consultative process will lead to government promulgating expectations for industry accountability to ‘the what’—measurable cybersecurity outcomes—and the industry determining ‘the how’—specific governance and technical controls we should be held to. Then together industry and government will be aligned to a framework that is flexible, measurable, accountable, and effective, ultimately serving patient safety and infrastructure resilience.”
Garcia gave his remarks during April 1 testimony to the House Energy and Commerce Oversight and Investigations Subcommittee on the subject of healthcare and medical device cybersecurity.
ID 355108938 © Pichapob Bovornsakulchok | Dreamstime.com
