The benefits of using Unmanned Aircraft Systems (UAS) for tasks from catastrophe response to infrastructure inspection to construction site monitoring, and everything in between, are great. ...19 May 2016
Health Sector Regulators Increase Focus on Cybersecurity
Cybersecurity Task Force. Section 405 of the Cybersecurity Act of 2015 requires HHS to establish a Health Care Industry Cybersecurity Task Force that will create a plan for sharing information regarding threats to cybersecurity for the health care industry and recommend additional protective measures for networked medical devices and electronic health records. HHS Secretary Sylvia Burwell announced on March 1, 2016, that HHS is seeking nominations for task force members. Nominations are due by 5 p.m. Eastern on March 9, and the new task force is scheduled to have its inaugural meeting on March 17.
HIPAA-NIST Crosswalk. The HHS Office for Civil Rights (OCR) published a “crosswalk” (Crosswalk) that maps the requirements of the National Institute of Standards and Technology’s 2014 Framework for Improving Critical Infrastructure Cybersecurity (Framework) to the corresponding requirements of the HIPAA Security Rule. OCR noted that following the Framework is not sufficient to satisfy the HIPAA Security Rule. However, OCR indicated its hope that the Crosswalk will help organizations that seek to align their cybersecurity programs with both standards to identify potential gaps in their cybersecurity practices, and ease the process of transitioning from a set of cybersecurity policies and practices based on one of the standards to a program that is based on both. The Crosswalk also signals OCR’s view that organizations should consider, as part of their HIPAA Security Rule risk analysis, “whether participating in cyber-threat sharing programs is reasonable and appropriate to reduce their security risk”—as the Framework includes such sharing as part of the Risk Assessment category within the Identify function.
Framework Implementation Guide. The Health Information Trust Alliance (HITRUST), in collaboration with the Healthcare and Public Health Sector Coordinating Council, has released the Healthcare Sector Cybersecurity Framework Implementation Guide (Guide). The Guide focuses on how organizations can use the HITRUST Risk Management Framework to align their cybersecurity programs with the Framework.
Cybersecurity will grow as a key concern for the health sector as regulators continue to emphasize cybersecurity in their enforcement actions. HHS has recently imposed significant penalties related to allegations that organizations failed to properly assess and address cybersecurity risk. Another key indicator is the provision in the Cybersecurity Act of 2015 directing the HHS Secretary to establish and regularly update a set of voluntary cybersecurity best practices standards. As previously noted, organizations are well advised to pay close attention to these developments; although the standards will be “voluntary”, their publication would have a government imprimatur and could quickly become the industry standard.
The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016