5 key takeaways from Cybersecurity Act of 2015

By Jessica Davis
10:58 AM
HHS must establish a taskforce analyzing cybersecurity risks, real plan yet to be established

When President Barack Obama signed The Cybersecurity Act of 2015, which was included in the federal omnibus government spending package, the legislation included nine pages of healthcare-related cybersecurity measures.

While these definitions lay out the necessary processes to instate a real plan for the future of healthcare security, a lot of work needs to be done for this to be accomplished.

"Over the past several years, major cyberattacks have dominated the headlines and dramatically raised public awareness of online security," U.S. Chamber of Commerce CEO Thomas J. Donohue said in a prepared statement. "This legislation is our best chance yet to help address this economic and national security priority in a meaningful way and help prevent further attacks," he added.

Within the 2009-page document, signed into law on Dec. 18, are five key points related to the healthcare industry.

1. Obama signed a two-year delay on the 40 percent excise tax on employer-sponsored, high-cost insurance plans, also called the Cadillac Tax. It changed the effective date from 2018 to 2020. Originally non-tax deductible, the bill has made it possible for employers to pay to make it so.

2. Department of Health and Human Services must submit a report assessing HHS and the healthcare industry's preparedness on cybersecurity threat responses to multiple congressional committees within a year of the bill's enactment. HHS also needs to select a leader to head cybersecurity initiatives and detail methods for addressing threats across the health divisions.

3. A taskforce must be formed within 90 days of enactment by HHS, Homeland Security and the National Institute of Standards and Technology leaders, agencies, experts and stakeholders. The group will analyze actions and safeguards in place in other industries, while assessing private healthcare challenges. It will also be tasked with determining EHR and interoperability issues.

4. Agencies must continue to educate stakeholders to improve preparedness, while creating a blueprint for sharing defensive measures and cyber threat indicators between the government and other entities and establish consensus-based voluntary best practices between the agencies to improve security and reduce cyber threats.

5. The Cybersecurity Information Sharing Act protects the liability of private sector entities when sharing and receiving cyber threat information. It also establishes the personal data that needs to be removed before data sharing can occur and how quickly individuals must be notified their information was shared.