The Cybersecurity Act of 2015, included in the Omnibus Appropriations and Tax Reform Package adopted into law in December, 2015 (link), specifically addresses cybersecurity in the healthcare industry.
Broadly, the Act (A) establishes the Department of Homeland Security (DHS) as the clearing-house for sharing of cybersecurity threats for the federal government, and (B) provides new rights for network operators (i) to monitor their own networks for the purpose of protecting the network from attempts at hacking, denial of service attacks and other network weaknesses, and (ii) to share cyber threat indicators, and related defensive measures, with others.
Section 405 of the Cybersecurity Act specifically addresses cybersecurity in the healthcare industry by:
1. Requiring the Department of Health and Human Services (DHHS) to develop a report outlining responsibility within DHHS for coordinating efforts regarding cybersecurity threats;
2. Creating a new healthcare industry cybersecurity task force comprised of healthcare stakeholders, cybersecurity experts and federal agencies with specific assignments, which include (i) analyzing how industries, other than the healthcare industry, have implemented strategies to address cyberliability threats, (ii) analyzing barriers that private healthcare entities face to address cyber attacks, (iii) reviewing challenges to securing networked medical devices of software that connects to an electronic health record, and (iv) developing information to be provided to healthcare providers for purposes of improving preparedness for, and response to, cybersecurity threats;
3. Requiring DHHS to establish guidelines and best practices that serve as a resource for cost-effectively reducing cyberliability risks consistent with HIPAA and other relevant laws.
Members of Parker Poe’s HIPAA and Security Team are available to answer questions regarding the Cybersecurity Act as well as to assist clients to address cybersecurity concerns.