On June 21, 2017, Daniel Nutkis, CEO of HITRUST, testified before the U.S. Senate Committee on Homeland Security & Governmental Affairs. The hearing entitled: “Cybersecurity Regulation Harmonization” provided the opportunity to discuss the health industry’s experiences in engaging with government agencies relating to cybersecurity regulatory harmonization and efforts that will provide the greatest benefit to industry. This is the second time in 90 days that Mr. Nutkis has testified to share his viewpoints with Congressional Leaders.
In his testimony, Mr. Nutkis highlighted three areas where cybersecurity regulatory harmonization should occur to reduce redundancy, unnecessary expense and delays to better support the private sector in defending against cyber threats, thereby improving cyber resilience and the management of cyber risk – specifically, information sharing, the role of government as a partner, and the role of government as a regulator.
In addressing the first area, Mr. Nutkis pointed out that HITRUST operates the most active Information Sharing and Analysis Organization (ISAO) and continues to evaluate and innovate to better support industries relating to cyber threat management.
Mr. Nutkis expressed some concern that more guidance and coordination is needed with regards to the role of the Department of Health and Human Services’ (HHS) recently established Healthcare Cybersecurity and Communications Integrations Center (HCCIC)). While he agreed that the objectives of the HCCIC were important, re-confirming HITRUST’s full support for the role government plays in promoting information sharing and ensuring liability protection, Mr. Nutkis noted that it appears the role of the HCCIC parallels the intended role and capabilities of the DHS NCCIC and ISAOs.
To the second area, the role of government as partner, Mr. Nutkis recognized the burden, responsibility and authority beholden on them to protect the private sector. But he asserted that, in areas where the private sector has made a significant investment in establishing an effective program or approach, the government should give those investments due consideration before seeking a government alternative that replicates or otherwise devalues industry efforts.
Mr. Nutkis addressed the third area, the role of government as a regulator, by reiterating HITRUST’s support of the mission of the HHS Office for Civil Rights (OCR) to conduct annual random audits designed to “enhance industry awareness of compliance obligations,” but noted that HITRUST had documented that these random audits are in fact causing organizations to divert their attention and resources away from enhancing their information protection programs to instead prepare for the potential of random audits.
Mr. Nutkis reasoned that, under the current audit model, OCR is using its limited resources to audit organizations that have already implemented appropriate privacy and security controls and conducted required risk assessments, for which OCR has no visibility. He suggested that OCR resources could be better served in focusing on organizations not adequately addressing the HIPAA privacy and security requirements.
HITRUST proposes that policy makers consider a system whereby organizations that can demonstrate a comprehensive information security program that complies with the privacy and security provisions of HIPAA can receive some form of safe harbor—or similar relief—and then focus their HIPAA audits on organizations that cannot demonstrate their compliance in meeting the criteria.
Mr. Nutkis advocated that guidelines be established to enable organizations to communicate that they have obtained a comprehensive assessment covering the HIPAA Privacy and Security Rules, such as a HITRUST CSF Assessment, and therefore be excluded from random OCR HIPAA privacy and security audits.
As a general request encompassing all three areas presented in his testimony, Mr. Nutkis asked that Congress require federal agencies to give due consideration to existing standards and best practices already in place before developing new ones which could present the healthcare industry with inadvertent confusion, unintended waste, and undue risk.