Washington Debrief: House Committee Examines Implementation of Cyber Threat Sharing Law

Congressional Affairs

House Committee Examines Implementation of Cyber Threat Sharing Law

Key Takeaway: The House Committee on Homeland Security heard from a variety of industry stakeholders on the status of implementation of the Cybersecurity Act of 2015, which seeks to improve cyber threat information sharing.

Why it Matters: The growing cyber threat landscape is not lost on Congressional leaders as they strive to provide resources for the federal government and incentives for the private sector to facilitate the sharing of cyber threat indicators. While the healthcare sector was not a direct topic of conversation, the Committee’s broad focus on the implementation of the information sharing policies put in place by the Cybersecurity Act of 2015 will be of great interest to the healthcare industry moving forward.

The Cybersecurity Act, which passed along with the Omnibus Appropriations Act and was signed into law on December 28, 2015, provides liability protections so that companies and other organizations can more freely exchange threat indicators. This includes “government-to-private” information sharing and “private-to-private” sharing. Witnesses and Committee members expressed interest in how to make cybersecurity threat information sharing of value to small and large businesses alike.

The legislation also included a healthcare-specific section, which provided directives to improve the Department of Health and Human Services internal cybersecurity readiness, as well as called for the development and distribution of resources to improve the healthcare sector’s cybersecurity hygiene that should be scalable across the industry.

Senators Launch Cybersecurity Caucus

Key Takeaway: The Senate will now have a Cybersecurity Caucus, an additional venue for education on the myriad of issues association with cybersecurity for Senators and their staff.

Why It Matters: The gravity of the cybersecurity threats facing the nation are not lost on Congress. The issue has been bipartisan, and the launch of the Senate Cybersecurity Caucus last week continues that trend.

Founded by Senators Cory Gardner (R-CO) and Mark Warner (D-VA), the caucus will focus on various aspects of the cybersecurity threats including: national security, the economy, and digital security. According to the release announcing the caucus, “The caucus will provide unique opportunities to inform Senators on the major cyber policy issues facing Congress, introduce Senators and their staff to leading cybersecurity experts, and promote bipartisan and cross-jurisdictional discussions on this important issue.”

The House Cybersecurity Caucus, led by Representatives Michael McCaul (R-TX-10) and Jim Langevin (D-RI-02) has more than 70 members.

Federal Affairs

Information Sharing Final Guidance Released by DHS and DOJ

Key Takeaway: Last week the Department of Homeland Security (DHS) and the Department of Justice (DOJ) released final guidance for compliance with the Cybersecurity Act, which authorizes the voluntary sharing and receiving of cyber threat indicators and defensive measures for cybersecurity purposes that are consistent with certain privacy and civil liberty protections.

Why It Matters: Of most relevance to healthcare delivery organizations, would be the Guidance to Assist Non-Federal Entities, which clarifies that protected health information (PHI), such as that information in an electronic health record (EHR), would not need to be shared in most cases as it is not likely to be relevant to the threat indicator.

The guidelines released last week include:

The Guidance to Assist Non-Federal Entities outlines the types of information that would qualify as cyber threat indicators, other types of information covered by existing privacy laws that would likely not be shared, how to share cyber threat indicators with the federal government and the legal protections provided to those entities that share indicators and defensive measure as set forth in Cybersecurity Act.

The Department of Homeland Security’s free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector quickly. AIS is available for free through the Department’s National Cybersecurity and Communications Integration Center (NCCIC), a 24/7 cyber situational awareness, incident response, and management center. AIS was designated as the central hub for the sharing of cyber threat indicators between the private sector and the Federal Government by the Cybersecurity Act of 2015.

IPPS Proposed Rule

Key Takeaway: CHIME submitted comments to CMS in response to their proposed rule on IPPS.

Why it Matters: CMS has called for more requirements around eCQMs under the IPPS proposed rule. CHIME continues to seek relief for CIOs and their respective hospitals around the burdens associated with meeting CMS’ requirements around quality reporting. Specifically, CHIME called upon CMS to:

Maintain voluntary electronic submission until both providers and policymakers agree on the maturity of eCQM specifications.
Continue the policy of four eCQMs for 2017 and do not increase the required number beyond what is in place for 2016.
Retain a reporting period of a quarter rather than a full year.
Prioritize adequate time for testing and deployment of eCQMs.
Provide greater transparency around the measure validation pilot.

Meaning Use Hardship deadline approaching

Key Takeaway: The deadline to file for a Meaningful Use Hardship is July 1.

Why it Matters: If you think you need a hardship to avoid a penalty in the 2017 payment year, you are urged to apply if you aren’t sure if you meet all of the criteria. There is no downside for applying. CHIME reminds you to check our cheat sheet for pointers on filing and links to the application.