Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
How the Senate's Cyber Bill Could Affect Health Sector
If Bill Gets Signed Into Law, Who's Affected and What Are Their New Challenges?Among other provisions, a Senate cybersecurity bill passed on Wednesday calls for critical infrastructure entities to report to federal authorities significant cyber incidents within 72 hours and within 24 hours when a ransomware payment is made. If the bill passes in the House and gets signed into law, what is the potential impact on healthcare and public health sector organizations?
See Also: Top 10 Actions During a Ransomware Attack
The Strengthening American Cybersecurity Act bundles three critical cybersecurity measures, including the 72-hour reporting mandate for "major" cyber incidents and 24-hour reporting of ransomware payments by critical infrastructure owners and operators to the Cybersecurity and Infrastructure Security Agency.
The bill also requires all civilian agencies to report all cyberattacks to CISA and updates the requirements for agencies to report cyber incidents to Congress.
The bill's other two key components include an update to the Federal Information Security Modernization Act and authorization for the governmentwide program standardizing security assessment, authorization and monitoring for cloud services.
Potential Healthcare Sector Impact
The Senate bill says the types of critical infrastructure organizations covered by the legislation include entities for which a cybersecurity disruption or compromise could cause consequences to national security, economic security or public health and safety.
So what sorts of entities within the healthcare and public health sector might potentially fall under cyber incident reporting mandates? That's not entirely clear yet, some experts say.
"The scope of who will be required to report and what they will be required to report is likely to evolve," says privacy attorney Kirk Nahra of the law firm WilmerHale. "A doctor losing a laptop likely won’t trigger under this. A hospital being attacked by ransomware that shuts down the whole hospital record system would," he says.
Regulatory attorney Rachel Rose says entities that contract with the Department of Defense, the Veterans Administration and the State Department, for example, would be required to comply. Also, if creating, receiving, maintaining or transmitting protected health information, HIPAA breach reporting would also still apply to those organizations, she says.
Entities and their business associates covered under HIPAA would continue to have their 60-day reporting obligations for breaches of PHI affecting 500 or more individuals, according to Rose. But not all of those organizations will necessarily fall under the critical infrastructure entities that could be required to report incidents more quickly to CISA under the Senate's cyber legislation.
"There also needs to be a strategy behind what organizations would need to report and what the actual outcome of the reporting would be to make sure it is effective and not just a 'check box' exercise."
—Denise Anderson, H-ISAC
Certain electronic health record vendors, cloud service providers and medical services contractors also are examples of potential entities that would not only have their usual HIPAA breach reporting obligations but also possibly fall under the Senate's cybersecurity bill, if it advances, she says.
"Having said that, the Department of Health and Human Services' Office for Civil Rights is tasked with enforcing civil liberties, as they relate to a person's PHI. And protecting the 'civil liberties or public health, and safety of the people of the U.S.' is expressly stated [in the Senate bill]. The key is to watch for the developments and guidance regarding the term 'major incident.'"
Additional Burdens
Privacy attorney David Holtzman of the consulting firm HITPrivacy says the legislation could apply to any healthcare organization that maintains an information system accessible to the internet, as well as a vendor to a healthcare organization that has electronic access to the entity’s information system or data.
"The bill passed by the Senate does not exempt HIPAA-covered entities or their business associates from the obligations to report cybersecurity incidents or make ransomware payments," he says. "The legislation does not preempt or modify the existing HIPAA breach reporting requirements established in the HITECH Act."
Denise Anderson, president of the Health Information Sharing and Analysis Center, says that while it is too early to know what the final legislation will look like, it is "commendable" that Congress is working to tackle the issue of cybersecurity around the critical infrastructure sectors.
But "there are many nuances to defining incidents as well as what should be reported," she says.
"There also needs to be a strategy behind what organizations would need to report and what the actual outcome of the reporting would be to make sure it is effective and not just a 'check box' exercise."
"When you have short time periods like this, entities often find that they have to report while they have limited facts, which may result in over-reporting suspicious activity that does not end up qualifying as a cyber incident."
—Adam Greene, Davis Wright Tremaine
Also, fast reporting requirements put additional burdens on entities that may be working hard to mitigate an incident if it occurs, Anderson says.
"We'd like to see Congress leverage what already exists and support the work that the ISACs do where relevant, actionable information is shared daily around incidents so that organizations can immediately benefit."
Quick Turnaround
For many HIPAA-covered entities and their business associates, the 60-day deadline under HIPAA to report large PHI breaches is already challenging. So, how realistic is it for entities to report "major" cybersecurity incidents within 72 hours to federal authorities?
"When you have short time periods like this, entities often find that they have to report while they have limited facts, which may result in over-reporting suspicious activity that does not end up qualifying as a cyber incident," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
But entities that end up needing to report cybersecurity incidents under the Senate bill proposals "will still have time under HIPAA to investigate and confirm facts before making a final decision as to whether it is reportable to affected individuals and HHS OCR," Greene says.
Also, entities likely will need to make reports based on limited information that is initially available, so such reports may not always prove accurate or comprehensive, he says. "For example, in a ransomware incident, the entity may be able to report that their systems have been compromised but may not yet know whether data was exfiltrated."
Anahi Santiago, CISO of ChristianaCare, the largest healthcare provider in Delaware, says another important consideration is "when does the clock start?" - in the countdown to 72-hour reporting of cybersecurity incidents.
For instance, "does the clock start when we have an indicator of compromise … or is it when we know for a fact that we have a breach?" Even if the bill advances and gets signed into law, Santiago says, "we will need guidance from CISA and other regulatory agencies to help us navigate. But I do think it will be a challenge for a lot in the healthcare sector to comply with such an aggressive timeline."
Attorney Rose says that the shift toward shorter reporting periods for security breaches is not brand-new.
"States have begun requiring shorter time periods for reporting. My clients have a list of states and the relevant time frames in their respective policies and procedures to ensure that they are meeting the shorter time frames," she says.
"The key is assessing breach notification policies and procedures, as well as updating business continuity and disaster recovery plans to reflect the shorter time period if it applies. Training is also critical and should be updated accordingly. "
If the statute is interpreted too broadly, "I would expect potentially hundreds if not thousands of reports a day," says privacy attorney Iliana Peters of the law firm Polsinelli. "This creates significant additional burdens not only for the regulated community - healthcare and otherwise - but also for our law enforcement partners."
Other Considerations
Peters says it is also important for HIPAA-covered entities and business associates to refer to HHS OCR's guidance on the sharing of PHI with law enforcement agencies regarding cyber incidents, "and the fact that such sharing of PHI is not permitted without an otherwise applicable permission under the HIPAA Privacy Rule, or a HIPAA authorization from the affected individual."
Peters also says entities need to consider concerns pertaining to sharing personally identifiable information under applicable state law and the preemption issues associated with such sharing.
The Strengthening American Cybersecurity Act was sponsored by Sen. Gary Peters, D-Mich., the committee chairman, and its ranking member, Sen. Rob Portman, R-Ohio.
In a joint statement Wednesday following the Senate passage of the bill, they said that the legislation is "urgently needed in the face of potential cyberattacks sponsored by the Russian government in retaliation for U.S. support in Ukraine."