Ten years ago, President George W. Bush briefly mentioned electronic health records in a State of the Union address and the federal government is now in the midst of a multibillion dollar effort to promote the technology. Will the same thing happen to cybersecurity, a subject to which President Barack Obama devoted an entire paragraph in his own State of the Union message?
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” Obama said as he urged Congress to pass cybersecurity legislation.
Obama's proposed federal cybersecurity legislation has healthcare data security experts applauding. The White House released a summary of the plan (PDF) last week as part of a publicity campaign ahead of the speech.
“I think it's an exciting time that the president is talking about cybersecurity,” said Lillian Ablon, a researcher and information security expert at RAND Corp., and co-author of a report on the burgeoning marketplace for cybercrime.
Obama's proposals are not specific to the healthcare industry. But, Ablon said, the details are not necessarily important. What matters is “that he's bringing it to the nation's attention.”
The inclusion of cybersecurity in the State of the Union address is a signal to lawmakers that the White House believes it's an area where government needs to act, said Lisa Gallagher, vice president of technology solutions for the Health Information and Management Systems Society, a Chicago-based trade group for health IT users and developers. “It's the administration coming out saying, 'We recognize the threat.'”
The president's proposal includes a demand that the Department of Homeland Security hire a private entity to create federal criteria for what are known as information sharing and analysis organizations, which allow participants to swap security threat information. The criteria would be analogous to those already established for electronic health-record systems now used in the EHR incentive payment program.
“We're really in favor of the government coming out with some guidelines,” said Daniel Nutkis, president and CEO of the Health Information Trust Alliance, or HITRUST, which is already a federally certified information sharing and analysis organization that serves as relay system within the healthcare industry.
But just as data in an EHR is only as good as its application to a patient, for security threat information to be beneficial, it has to be in a form that's understandable and actionable. “People have to consume it and use it,” Nutkis said. “Just because they're sharing information it doesn't mean that problem's solved.”
Obama also is proposing a single federal data breach law that would pre-empt 47 states' breach notification laws, according to Kirk Nahra, a lawyer specializing in healthcare privacy and security with the Washington, D.C., firm Willey Rein.
A draft proposal of the legislation Nahra has seen would not change the status quo for healthcare “covered entities” under the HIPAA, however, Nahra said.
The Obama plan “carves out the banking and the healthcare industry, because they have their own breach laws,” he said. The HIPAA amendment in the HITECH provisions of the 2009 American Recovery and Reinvestment Act that included federal healthcare breach-notification law is silent about state laws, so it doesn't preempt them, Nahra said. Healthcare providers in California, for example, which has a state breach-notification law that covers healthcare organizations, would still have to abide by the California breach-law provision as well as the federal breach-law requirements, Nahra said.
Of 1,170 breaches reported since September 2009 on the “wall of shame” website at HHS, 95 of them, or 8%, involve some form of hacking incident.
Of the nearly 40.9 million individuals' records exposed by that total number of breaches, nearly 7.8 million of them, or 19%, were blamed on hackers, including the second-largest breach on the list, reported last August by Community Health System, Franklin, Tenn. The hospital group said its systems were hacked by “a group originating from China” that stole personally identifiable information on 4.5 million individuals.
There were so many high-profile hacks last year that Ablon, the RAND expert, called 2014 “the year the hack went viral.” They ranged from celebrity selfies hacked from Apple's iCloud system to a trove of information, including embarrassing e-mails, stolen from Sony's computers in a hack the FBI traced to the North Korean government. Tens of millions of more mundane consumer records were stolen from mass retailers Target and Home Depot and banker J.P. Morgan Chase.
Healthcare organizations have focused on technological defenses, but increased government involvement could broaden the industry's horizons to look more at the source of potential attacks, Gallagher said.
“It's important to look beyond the threat system to the threat motivators,” Gallagher said. That's where collaborating with the feds could be helpful, she said. “This is an area where we need to do some serious analysis. We want to understand this before healthcare organizations get notified there is an advanced persistent threat from some nation-state actors.”
Follow Joseph Conn on Twitter: @MHJConn