Section 405 of Title IV of the Cybersecurity Act is tailored specifically to cybersecurity matters affecting public and private health care entities.  Section 405 of Title IV seeks to improve the cybersecurity landscape in the health care industry in a few key ways. 

First, Section 405(b) of Title IV directs the Secretary of the Department of Health and Human Services (“HHS”) to submit a report on “the preparedness of the [HHS] and health care industry stakeholders in responding to cybersecurity threats” to the Committee on Energy and Commerce of the House of Representatives and the Committee on Health, Education, Labor, and Pensions of the Senate.  (For purposes of Section 405 of Title IV, health care industry stakeholders include health plans, health care clearinghouses, health care providers, pharmacists, pharmaceutical or medical device manufacturers, and other industry players.)  This report must include both “a clear statement of the official within the [HHS] to be responsible for leading and coordinating efforts of the Department regarding cybersecurity threats in the health care industry” and “a plan from each relevant operating division and subdivision of the [HHS] on how such division or subdivision will address cybersecurity threats in the health care industry.”

Next, Section 405(c) of Title IV requires the establishment of a task force dedicated to cybersecurity matters in the health care industry.  The subsection directs the HHS Secretary—upon consultation with the Secretary of Homeland Security and the Director of the National Institute of Standards and Technology—to bring together various public and private experts to create the task force.  The task force’s mandate includes, inter alia, analyzing “how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries,” analyzing “challenges and barriers private entities … in the health care industry face securing themselves against cyber attacks,” providing the HHS Secretary “with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry,” and reporting to Congress on its findings and recommendations.  The task force will operate for one year.

Finally, Section 405(d) of Title IV aims to align data security approaches throughout the health care industry by requiring that the HHS Secretary establish “a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes.”  These measures are designed to “serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations” and “support voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats.”  The subsection states that these voluntary cybersecurity practices and procedures must be consistent with the standards and regulations of section 2(c)(15) of the National Institute of Standards and Technology Act, section 264(c) of the Health Insurance Portability and Accountability Act of 1996, and the provisions of the Health Information Technology for Economic and Clinical Health Act (title XIII of division A, and title IV of division B, of Public Law 111–5).  Notably, Section 405(d) does not grant the HHS Secretary the authority to audit health care organizations for compliance with the subsection nor may health care industry stakeholders be held liable for “choosing not to engage in the voluntary activities authorized or guidelines developed” therein.  Nonetheless, companies in the health care industry should be attentive to the practices and procedures that ultimately emerge as these processes may become the industry standard going forward. 

Reporter, Kyle Sheahen, New York, +1 212 556 2234, ksheahen@kslaw.com