House Committee Examines Implementation of Cyber Threat Sharing Law
Key Takeaway: The House Committee on Homeland Security heard from a variety of industry stakeholders on the status of implementation of the Cybersecurity Act of 2015, which seeks to improve cyber threat information sharing.
Why it Matters: The growing cyber threat landscape is not lost on Congressional leaders as they strive to provide resources for the federal government and incentives for the private sector to facilitate the sharing of cyber threat indicators. While the healthcare sector was not a direct topic of conversation, the Committee’s broad focus on the implementation of the information sharing policies put in place by the Cybersecurity Act of 2015 will be of great interest to the healthcare industry moving forward.
The Cybersecurity Act, which passed along with the Omnibus Appropriations Act and was signed into law on December 28, 2015, provides liability protections so that companies and other organizations can more freely exchange threat indicators. This includes “government-to-private” information sharing and “private-to-private” sharing. Witnesses and Committee members expressed interest in how to make cybersecurity threat information sharing of value to small and large businesses alike.
The legislation also included a healthcare-specific section, which provided directives to improve the Department of Health and Human Services internal cybersecurity readiness, as well as called for the development and distribution of resources to improve the healthcare sector’s cybersecurity hygiene that should be scalable across the industry.
Senators Launch Cybersecurity Caucus
Key Takeaway: The Senate will now have a Cybersecurity Caucus, an additional venue for education on the myriad of issues association with cybersecurity for Senators and their staff.
Why It Matters: The gravity of the cybersecurity threats facing the nation are not lost on Congress. The issue has been bipartisan, and the launch of the Senate Cybersecurity Caucus last week continues that trend.
Founded by Senators Cory Gardner (R-CO) and Mark Warner (D-VA), the caucus will focus on various aspects of the cybersecurity threats including: national security, the economy, and digital security. According to the release announcing the caucus, “The caucus will provide unique opportunities to inform Senators on the major cyber policy issues facing Congress, introduce Senators and their staff to leading cybersecurity experts, and promote bipartisan and cross-jurisdictional discussions on this important issue.”
The House Cybersecurity Caucus, led by Representatives Michael McCaul (R-TX-10) and Jim Langevin (D-RI-02) has more than 70 members.
Information Sharing Final Guidance Released by DHS and DOJ
Key Takeaway: Last week the Department of Homeland Security (DHS) and the Department of Justice (DOJ) released final guidance for compliance with the Cybersecurity Act, which authorizes the voluntary sharing and receiving of cyber threat indicators and defensive measures for cybersecurity purposes that are consistent with certain privacy and civil liberty protections.
Why It Matters: Of most relevance to healthcare delivery organizations, would be the Guidance to Assist Non-Federal Entities, which clarifies that protected health information (PHI), such as that information in an electronic health record (EHR), would not need to be shared in most cases as it is not likely to be relevant to the threat indicator.
The guidelines released last week include:
- Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015
- Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015
- Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government
The Guidance to Assist Non-Federal Entities outlines the types of information that would qualify as cyber threat indicators, other types of information covered by existing privacy laws that would likely not be shared, how to share cyber threat indicators with the federal government and the legal protections provided to those entities that share indicators and defensive measure as set forth in Cybersecurity Act.