*This post is co-authored by Vince Sampson
On Tuesday the Senate passed the Cybersecurity Information Sharing Act (CISA). The House had passed a similar bill, the Protecting Cyber Networks Act, in April of this year. The Act comes in the wake of many large scale data breaches, such as that suffered by health insurer Anthem. Supporters of the bill, including leading health IT groups such as the College of Health Information Management Executives (CHIME) and the Association for Executives in Health Information Security (AEHIS), argue that the Act will stop hackers by getting companies that have been breached to share information with federal law enforcement. However critics, including tech companies such as Apple and Twitter, argue CISA is an excuse for federal officials to gain information on individuals without a warrant and that the potential for disclosure will reduce consumer confidence.
CISA was passed by the Senate on Tuesday and spells out that information can be shared with the government regarding a “cybersecurity threat” and “threat indicators.” Further, CISA overrides other privacy laws stating that this sharing is allowed “notwithstanding any other provision of law” as well as providing certain immunity liability protections. Section 106 of CISA provides protections to entities acting in accordance with this bill that: (1) monitor information systems, or (2) share or receive indicators or defensive measures, provided that the manner in which an entity shares any indicators or defensive measures with the federal government is consistent with specified procedures and exceptions set forth under the Department of Homeland Security (DHS) sharing process. DHS is required to develop the sharing process under section 103 of CISA. The recent increase in data breach of large companies, including those in the health care industry, has elevated the issue of data breach response and better preparedness to the forefront. In addition, CISA contains a proposal from Senate Health, Education, Labor and Pensions leaders Lamar Alexander (R-Tenn.) and Patty Murray (D-Wash.) mandates that the Department of Health and Human Services (HHS) develop voluntary framework of common security standards and practices. While the creation of the framework is required, the language prevents HHS from auditing health care organizations for compliance with that framework. This language would also prevent HHS from using the framework as a condition for receiving a federal grant or contract. Health Care organizations would not be liable for not using the framework. CISA also directs HHS to create a task force to study and outline how best to share cyber threats within the health care world. Although the information sharing provisions of the Act are voluntary, there is some concern that companies could essentially be required to provide this information in order to receive assistance when dealing with a cybersecurity incident in which they would like to receive additional help or information from government authorities.
Tuesday’s vote came after a series of amendments were struck down that would have provided additional privacy protections. Many companies have voiced opposition to CISA claiming that it will diminish their customer’s trust in the ability to protect their privacy. Those involved in the health industry face additional concerns as they are dealing with extremely sensitive information and while health data protection is vital, CISA raises concerns about patient’s willingness to disclose sensitive information without adequate privacy protections as well as what notifications (such as in privacy policies) must be given of these potential disclosures.
The vote on Tuesday does not make CISA law, as there are still differences between it and the two House cyber bills to resolve. Additionally, while there has been some White House support for CISA, President Obama could still veto the conferenced bill. Those involved in the health field should carefully watch what happens with this Act and consider if and how to notify consumers about these new potential disclosures.