The Health Sector Coordinating Council is urging the Trump administration to ditch work on a proposed update to the HIPAA security rule that was published in the final days of the Biden administration.
Instead, HSCC is asking the White House and federal regulators to engage in a collaborative dialogue with healthcare sector leaders to identify alternative cyber requirements and goals that are more realistic and achievable.
The aim is to give healthcare sector entities the flexibility in deciding how their organizations can achieve better cybersecurity that results in measurable outcomes, said Greg Garcia, executive director of cybersecurity of the HSCC, a public-private coalition, in an extensive interview with Information Security Media Group.
“I think across the healthcare sector there is a recognition that we all need to do better in cybersecurity. And in many cases that’s going to mean higher standards of accountability – that is government requirements for compliance. I think nobody disputes that,” he said.
“The question is, ‘how do we do that?’ How do we do that in the most cost, effective, efficient way that’s actually going to move the needle in better cyber security, preparedness and resiliency?” he said.
“This is not so much opposition to better cybersecurity requirements, but more about seeking an alternative path that’s going to get us to our shared objective, which is better cybersecurity across the health sector and improved patient safety,” he said.
Objections to provisions of the proposed HIPAA security rule update from many of HSCC’s members – including 52 healthcare industry groups – had a common thread, he said (see: What’s in HHS’ Proposed HIPAA Security Rule Overhaul?).
“I think the common theme was that the requirements were either too stringent or too vague, making compliance extremely difficult both on a practical level and on a cost level,” he said. “And by introducing that kind of uncertainty as to what constitutes good compliance means that actual effectiveness at achieving better cyber security is potentially compromised.”
Garcia says there is precedent for collective efforts between government and critical infrastructure sector leaders hammering out consensus-based cybersecurity controls. One such example was in the collaborative work leading to the 2014 publication of the National Institute of Standards and Technology’s cybersecurity framework, he said.
HSCC on Monday submitted to the White House and to the U.S. Department of Health and Human Services – its policy proposal to convene a one-year collaborative effort that would have healthcare sector groups and cybersecurity leaders work with federal regulators in hammering out cybersecurity best practice requirements for the sector.
“The point is that rather than have a few lawyers within the government lock themselves in a room and devise 150 pages of cybersecurity regulations, how about they come out of that room and let’s have a negotiation?”
In this audio interview with Information Security Media Group (see audio link below photo), Garcia also discussed:
- The Trump administration’s response to the HSCC’s proposal so far;
- Reasons why many industry groups and cybersecurity leaders oppose provisions of the proposed HIPAA security rule update, which also would only apply to certain regulated organizations and not the wider healthcare sector;
- How HHS’ Cybersecurity Performance Goals and HSCC’s Health Industry Cybersecurity Practices potentially fit in with efforts to improve the sector’s security posture;
- Existing HSCC and other related resources to help healthcare sector organizations bolster their cybersecurity programs, best practices and controls;
- Key takeaways from his and others’ Congressional testimony earlier this week at a hearing examining the state of medical device cybersecurity;
- Important cybersecurity information sharing legislation that was signed into law a decade ago that will sunset in September unless reauthorized by Congress;
- Other top cybersecurity challenges facing the healthcare sector.
Prior to joining HSCC, Garcia served as the nation’s first Department of Homeland Security assistant secretary for cybersecurity and communications under President George W. Bush. He also served as executive director of the Financial Services Sector Coordinating Council and held executive positions with Bank of America, 3Com Corp., the Information Technology Association of America and Americans for Computer Privacy.