|Thanks to the CHIME Legislative Affairs team for this summary.
Key Takeaway: The massive government spending package that was enacted late last Friday included language to enable cyber threat information sharing and directives to the Department of Health and Human Services (HHS) to better equip the healthcare sector to combat cyberattacks.
Why it Matters: Congress responded to pleas from the provider community for additional resources to improve preparedness against cyber threats. The language included in the funding package seeks to improve clarity on who within the HHS leads cyber efforts and how sub-agencies should coordinate for the benefit of all stakeholders.
The law also called for the creation of a healthcare industry cybersecurity task force within 90 days of enactment to: analyze how other industries have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries; evaluate challenges to securing healthcare entities; review challenges with securing networked medical devices; and, what’s needed to implement cyber threat information sharing within the healthcare sector.
Further, Section 405 directs the secretary of HHS, working with other federal and non-federal entities, to develop a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures and processes that can serve as a resource for reducing cybersecurity risks for a range of healthcare organizations.
A draft of the healthcare-specific language was first included in the Senate’s Cybersecurity Information Sharing Act of 2015 when it passed in November (neither of the House-passed bills included health-specific directives), but the healthcare language was edited and ultimately included in the Omnibus spending package.