Bill has strong support from HIMSS, CHIME, others – but many groups have expressed privacy concerns

Cybersecurity Information Sharing Act sails through Senate

By Mike Miliard
10:56 AM

The U.S. Senate passed the Cybersecurity Information Sharing Act on Tuesday in a 74 to 21 vote. Offering companies legal immunity when sharing threat data with the federal government, the bill has big implications for healthcare data privacy and security.

The legislation will next be reconciled with a similar bill passed by the House of Representatives and is likely to be signed into law by President Obama, a longtime proponent of such information sharing.

"We are encouraged that the Senate has passed key portions of the legislative proposal that the president sent to Congress in January," Lisa Monaco, the president's homeland security advisor, told the Washington Post. "We are hopeful that the Senate and House can work together expeditiously to send cybersecurity legislation to the president's desk."

The bill would enable a voluntary information sharing system that would be managed by the Department Homeland Security. If an organization were to detect unusual or questionable activity on its networks, it could share that information with DHS, which would then put out alerts to other companies

CISA's proponents, which include leading health IT groups such as HIMSS and CHIME, say the legislation will better enable the government to help private sector organizations secure their information systems by giving it more insight into the cyber threats they face.

[Learn more: Meet the speakers at the HIMSS and Healthcare IT News Privacy and Security Forum.]  

But many civil liberties groups – as well as some tech companies such as Apple and Twitter – have opposed the bill, raising the possibility data sharing with the feds could go beyond technical "threat indicators" and give agencies such as the NSA wider latitude to collect potentially personally-identifiable data.

Despite those concerns, the Senate rejected amendments to the bill "that would require more stringent reviews by companies to remove personal information before sharing data with the government," according to the Post, "as well as other amendments aimed at removing restrictions on Freedom of Information Requests over data shared under the program and tightening the definition of 'threat indicators.'"

But healthcare groups have applauded the legislation's aim of bolstering cyber defenses at a time when security threats, from homegrown hackers to nation states, are more widespread and tenacious than ever.

The bill "contains critical provisions that would move the entire healthcare community forward in addressing the many challenges of an increasingly complex health IT cybersecurity landscape," according to a statement from Lisa Gallagher HIMSS' Vice President, Technology Solutions.

HIMSS, parent company of Healthcare IT News, expressed strong support for the establishment of an "industry task force to analyze barriers faced by the sector, assess potential lessons learned from other sectors and develop a plan to ensure all healthcare organizations have access to actionable cyber threat data from the government."

As they face myriad cyber threats, healthcare leaders "need this information in one place, in actionable form, in near real time, through a no-cost mechanism," said Gallagher.

The College of Healthcare Information Management Executives also cheered CISA's Senate passage, saying it will "enable the nation's chief information officers and chief information security officers to better protect patient health information."

Once signed into law, CISA "will allow CIOs and CISOs to share threats and vulnerabilities through a secure national information-sharing infrastructure with the necessary liability protections in place and will not risk patient trust," according to an October 27 CHIME statement. "As an important piece of the nation's critical infrastructure, it is vital that healthcare organizations have the tools and information they need to identify and more effectively defend against growing cyber threats."

CHIME, which issued its statement in conjunction with Association for Executives in Health Information Security, noted that the Senate-approved bill has language that would establish a framework focused on healthcare and instructs the Department of Health and Human Services to identify a specific leader on cyber preparedness.

CHIME and AEHIS advocated the following for healthcare-specific CISA provisions:

  • HHS should convene healthcare industry stakeholders to develop industry-specific standards for protecting health information from cyber criminals and other sources of threats.
  • HHS should promote better cybersecurity information sharing between the private sector and government, and enhance collaboration and information sharing amongst the private sector.
  • Congress should pursue legislative action to strengthen information-sharing networks across public and private stakeholders, with emphasis on healthcare.

"Federal leadership is critical for ensuring the nation's hospitals and health systems, big and small, urban and rural, are better equipped with the resources they need to secure patient information," said Charles E. Christian, chair of the CHIME board of trustees, in a statement. "The healthcare sector has become a prime target for bad actors and it's important that the federal government works in conjunction with the industry to ensure provider organizations understand best practices to protecting patient data."