House Energy And Commerce Committee Hearing Examines Role Of The Department Of Health And Human Services In Health Care Cybersecurity

King & Spalding

On Thursday, June 8, 2017, the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce convened to hear testimony from representatives from the HHS and CMS to discuss the findings of two reports required by Congress under the Cybersecurity Act of 2015 (“CSA”) “examining both HHS’ internal cybersecurity processes and industry recommendations for improving cybersecurity across the sector.”  The hearing also examined the recent global outbreak of “WannaCry” ransomware and HHS’ subsequent response.

The first report focused on internal government processes to advance the mandate of the CSA.  The second report, issued on June 2, is the result of discussions by the Health Care Industry Cybersecurity Task Force which consists of stakeholders for HHS, the Department of Homeland Security, the National Institute of Standards and Technology, the health care sector, and cybersecurity experts, and focuses on six imperatives, with the following recommendations for industry among them:

  • Industry should leverage information-sharing programs to better manage cybersecurity risks and vulnerabilities;
  • Industry must adopt coordinated vulnerability disclosure policies and procedures;
  • Industry must develop “bills of materials” for their products that identify their components and any known risks associated with those components;
  • Industry should explore ways to secure and replace legacy systems; and
  • Industry should explore ways to better enable and ensure timely patching of information technologies within the healthcare environment.

During the hearing, witnesses Emery Csulak (Chief Information Security Officer and Senior Privacy Official, CMS, Co-Chair, Health Care Industry Cybersecurity Task Force), Steve Curren (Director, Division of Resilience, Office of Emergency Management, Office of the Assistant Secretary for Preparedness and Response, HHS), and Leo Scanlon (Deputy Chief Information Security Officer, HHS) emphasized the uniqueness and seriousness of the threat facing cybersecurity in the healthcare industry field, the creation and purpose of the Healthcare Cybersecurity Communications Integration Center as well as its role in resolving the WannaCry incident, and further measures to facilitate private-public partnership and communication in addressing cybersecurity threats.

One impediment that was highlighted regarding private-public partnership and information sharing is legal liability for sharing information with the government.  Mr. Curren stated that “we need to communicate the legal protections we have in place so that they feel free to share information with us.”  Mr. Scanlon added that there are many misunderstandings about what can and cannot be reported according to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), but HIPAA is very clear about encouraging reporting cybersecurity breaches and information.  He also mentioned the example of many medical device manufacturers who incorrectly believe that the Food and Drug Administration does not allow devices to be patched.  Mr. Scanlon added that HHS is working on creating “plain language guidance agreed upon by us and other partners to give partners a framework with which to communicate with us.”

Representative Katherine Castor (D-FL) expressed concern that the president’s proposed $6 million budget cuts would make it difficult for HHS and the Office of Civil Rights (“OCR”) to take action against entities that fail to protect the privacy of electronic health records.  She asked, “once you take the cop off the beat, how do you keep [industry] accountable?” and predicted that budget reductions would limit OCR’s capacity to resolve complaints.  Mr. Csulak responded that “regardless of the money and resources of OCR,” HHS should step back and look at other private-public partnership audit models, such as the Securities and Exchange Commission. “Regardless of the money that’s there,” he said, “how do we leverage private industry to contribute to the knowledge base?”

Representative Chris Collins (R-NY) drew attention to small- and medium-sized healthcare organizations that “don’t have the resources or the personnel to address cybersecurity or understand what’s at risk.”  With small and medium businesses “struggling to make payroll,” he added, “too often cybersecurity is the last thing you want to think about.”  Mr. Curren affirmed that the need of small- and medium-sized healthcare organizations was a major focus, as it is hard for small healthcare organizations to even process the amount of information available, and such organizations may not have the resources to be members of information-sharing organizations.  Mr. Scanlon added that they had produced one-page information sheets for small/medium organizations to provide “information in real time to folks who don’t have sophisticated cyber security teams.” 

We continue to monitor this issue and will provide periodic updates. 

A link to the hearing and accompanying documents may be found here

A link to the Health Care Industry Cybersecurity Task Force report may be found here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.