News Feature | May 4, 2015

How Will The New Cybersecurity Data Sharing Bill Impact Healthcare IT?

By Megan Williams, contributing writer

How Will The New Cybersecurity Data Sharing Bill Impact Healthcare IT?

A new cybersecurity bill could be soon impacting healthcare IT (HIT). H.R. 1560, also known as The Protecting Cyber Networks Act (PCNA) recently passed 307 to 116 in a bipartisan vote. It is intended to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats.” At the same time, the bill raises concerns about encroachment on individual privacy rights, according to Health IT Security.

The Bill
PCNA aims to create more fluid information sharing between corporations and government agencies, as well as increased knowledge sharing around hacker activities and techniques.

It also claims it will promote “the sharing with non-federal entities, if appropriate, of information in the possession of the Federal Government about imminent or ongoing cybersecurity threats to such entities to prevent or mitigate adverse impacts from such cybersecurity threats” and encourage “the timely sharing with relevant non-federal entities of cyber threat indicators in the possession of the Federal Government that may be declassified and shared at an unclassified level.”

Impact On Healthcare
HITRUST released a statement supporting the bill, and outlined the importance of PCNA and its Senate counterpart, CISA (Cybersecurity Information Sharing Act) to information security in the healthcare industry, emphasizing the legal protections it provides. They claim that the bills “provide legal certainty that companies sharing that information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time and taking actions to mitigate cyberattacks.”

The alliance also emphasized points that tie the bills back to interoperability initiatives: “Both measures go far in addressing information sharing priorities and provide clarity for healthcare companies. HITRUST opposes any amendments that would weaken significant provisions in either bill including the need to safeguard privacy and civil liberties, weaken liability protection for information sharing and establish appropriate roles for government agencies and departments.”

HITRUST CEO Daniel Nutkis also weighed in, specifically on the impact the bills have on security within the industry: “I think where we would like to be more engaged is in the dialogue in what the expectations are for an information sharing and analysis organization ... For organizations to have a meaningful dialogue there has to be some context, and sometimes to have the context there has to be a consistent maturity, or level of knowledge and sophistication.”

Privacy Concerns
A full 55 civil liberties groups and security experts contacted the House of Representatives in a letter, asking they not pass the bill, largely because of claims it would “significantly increase the National Security Agency’s access to personal information.” The bill, like the CISA, would authorize the Federal Government to use information for purposes that are not related to cybersecurity.

The letter complains that the security protections provided by the bill aren’t strong enough, and that there is insufficient clarity around what information can be shared and how it could be used by the government.