The U.S. Congress has voted to pass the Cybersecurity Act of 2015 as part of the omnibus spending package. The Act formalizes the process for information sharing, encouraging private entities to share amongst themselves and with the government. The Act also provides legal certainty that companies sharing information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time, as well as when taking actions to mitigate cyber attacks.
As the leading organization in the healthcare industry for advancing the state of information protection, HITRUST fully supports the Act, which recognizes the importance of a health industry specific cybersecurity approach, associated guidance and best practices, and leveraging industry standards that are developed through a public and private consensus-driven process.
This reinforces the significance of efforts already underway by HITRUST in coordination with the Healthcare and Public Health (HPH) Government and Private Sector Partnership for Critical Infrastructure Security and Resilience (CISR) to develop an industry-specific framework and guidance.
Additionally, the Act directs the Secretary to evaluate how to most effectively disseminate cyber threat information from the government to industry. This critical process has received much attention over the last year and HITRUST remained at the forefront of supporting this direction.
HITRUST opposed any amendment that would weaken significant provisions including the need to safeguard privacy and civil liberties or weaken liability protection for information sharing, and encouraged establishment of appropriate roles for government agencies and departments to continue to collaborate with industry.
Although industry is making improvements in cyber readiness and response, by singling out the healthcare industry, the Act sends a clear message that law makers are concerned with the pace of this progress.
HITRUST looks forward to continued engagement with the Department of Health and Human Services (HHS) as the Secretary and the development of the taskforce.
HITRUST continually endeavors to elevate the level of information protection by ensuring greater collaboration between the healthcare industry and government. HITRUST brings extensive experience in developing an information privacy and security framework, through the HITRUST CSF, which is the industry’s most widely adopted approach.
As an official Information Sharing and Analysis Organization (ISAO), HITRUST operates the healthcare sector’s most active cyber threat exchange, the HITRUST CTX, and acts as an industry cyber threat early warning system and automates indicator of compromise (IOC) distribution. HITRUST also coordinates the health industry’s most widely engaged cyber preparedness and response exercises through its CyberRX program and provides other programs including Monthly Industry Cyber Threat Briefings.
The HITRUST CSF, HITRUST CTX, CyberRX and cyber briefings are all free offerings with no membership required.