Bolstering Healthcare Cybersecurity: The Regulatory OutlookPrivacy Attorney Iliana Peters on HHS' Plans to Beef Up Health Sector Security
The Biden administration's strategy for bolstering health sector cybersecurity, which includes newly released voluntary cyber performance goals and plans to update the HIPAA Security Rule, is fueling uncertainty in some organizations, said privacy attorney Iliana Peters of law firm Polsinelli.
Arguably, HHS' recently published voluntary cybersecurity performance goals - which are divided into "essential" and "enhanced" controls and best practices - "are already required under the HIPAA Security Rule," Peters said (see: HHS Details New Cyber Performance Goals for Health Sector).
HHS' overall strategy to bolster healthcare security - which was outlined in a concept paper released in December and is part of the Biden administration's larger initiative to shore up cybersecurity across all critical infrastructure sectors - includes rule-making and other regulatory plans (see: Biden Administration Issues Cyber Strategy for Health Sector).
So far, those plans include updating the HIPAA Security Rule this spring, potential new incentives for hospitals investing in cybersecurity - and disincentives for skimping on it, and other changes.
But the lack of details so far in what the changes will encompass adds to sector confusion, Peters said.
For instance, the intent of the HIPAA Security Rule when it was written in 1998 and finalized in 2003 was not to be overly prescriptive but to allow flexibility and scalability for regulated entities to address evolving security needs, threats and technologies with solutions appropriate for their specific environments.
If the rule is updated in a way that makes it more prescriptive, Peters fears that could undermine the cybersecurity posture of healthcare entities moving forward.
"If the hypothetical updated rule says, 'Encryption is required,' and quantum computing is at some point better than encryption, are we going to get stuck with encryption and not be able to pivot?" she asked.
"This remains the rub with making very specific requirements into law in data security, because things change so quickly. We have to be nimble in order to make sure that the next best safeguard is one that is deployed, rather than being stuck with an out-of-date requirement."
Peters also questioned whether HHS' regulatory and enforcement priorities on how to best to improve the healthcare sector's cybersecurity are potentially misaligned.
"There's a bit of a disconnect in terms of where we're trying to go and the resources that are available - at least so far - particularly given that HHS focuses its enforcement on entities that are already reporting breaches," she said.
HIPAA-regulated entities are already required to report major breaches of protected health information to HHS' Office for Civil Rights, and the agency subsequently investigates those incidents.
But perhaps HHS should focus more investigative attention on organizations that experience health data breaches and don't report them, to evade regulatory scrutiny, said Peters, who is a former HHS OCR official.
"HHS isn't looking at those right now, and they have the authority to do that already. They have broad compliance review authorities. They have audit authority after the HITECH Act. But they haven't used it in years" (see: At Last, Results of HIPAA Compliance Audit Program Revealed).
In this interview with Information Security Media Group (see audio link below photo), Peters also discussed:
- What congressional action might be needed to support various proposals in the Biden administration's plans to improve cybersecurity in the healthcare sector;
- The potential hurdles HHS faces in making changes to the HIPAA Security Rule and taking other planned regulatory actions;
- The benefits of updating government cybersecurity guidance, such as various National Institute of Standards and Technology publications, regularly.
Peters is a Polsinelli law firm shareholder and an attorney in its national healthcare operations practice. She previously spent more than a decade at HHS OCR, including serving as the acting deputy director of health information privacy and as the senior adviser for HIPAA compliance and enforcement. Before joining the OCR team in Washington, Peters worked as an investigator in OCR's Dallas regional office.