The healthcare information technology sector is hailing healthcare-specific cybersecurity provisions that have made their way into the massive omnibus legislation that Congress passed on Friday.
The $1.1 trillion spending and tax extender bill, which is now on its way to President Barack Obama, includes language that closely follows the recommendations from the Healthcare Information and Management Systems Society and other groups, which have pushed for greater government support for combating cyber threats.
The legislation creates a healthcare industry cybersecurity task force (PDF) to be established within the law's first 90 days. The task force will study how other industries combat cyber threats as well as the technical and other challenges that make the healthcare industry vulnerable to attacks.
It also calls for a single pipeline of actionable information on cyber threats that could be accessed in real-time and at no cost. Access to that information is currently cost-prohibitive to small and mid-size healthcare organizations, said Samantha Burch, HIMSS' senior director of congressional affairs.
A parallel focus of the bill calls on HHS to work with the Department of Homeland Security as well as the National Institute of Standards and Technology to create voluntary guidelines and best practices for healthcare organizations to follow that could cost-effectively reduce their risk of cyberattacks.
The healthcare provisions are part of the larger Cybersecurity Information Sharing Act, which has the support of business groups like the U.S. Chamber of Commerce but has been in the crosshairs of privacy advocates. The bill allows greater information sharing between private companies and the federal government.
HIMSS had several conversations with the Committee of Health, Education, Labor and Pensions to develop the healthcare piece of the bill, Burch said. The group has been on the front lines of advocating for a data security framework to address the growing incidence of cyber threats.
“Healthcare is a high-value target,” Burch said. “The value of stolen medical records is pretty high. We don't think (this legislation is) a silver bullet but we do believe now that healthcare organizations will get the support they need.”
The cost of cyberattacks has become so significant in recent years that analysts at Moody's Investors Service last month said they could even begin to weigh on providers' credit ratings. Each data breach comes with hefty reputational and financial risks.
This year alone saw four of the five largest healthcare data breaches since the federal government began keeping records in 2009. A data breach at Anthem in February exposed 80 million records while hackers compromised 10 million records when they hit Rochester, N.Y.-based Excellus Blue Cross and Blue Shield in September.