Health Provisions in the Omnibus Appropriations: Cybersecurity in the Healthcare Industry

Stephanie Kennan
McGuireWoods LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The omnibus appropriations legislation that Congress passed last week contained a variety of health-related provisions. These provisions include rescinding funding for the Independent Payment Advisory Board (IPAB), deficit-neutral language related to risk corridor payments and cybersecurity.

Within a title dealing with cybersecurity issues, including within the federal government, section 405 requires the Department of Health and Human Services to provide the Senate HELP Committee and the House Energy and Commerce Committee with a report within one year. That report is to provide a clear statement concerning who is responsible for leading and coordinating efforts at HHS regarding cybersecurity threats in the healthcare industry and provide a plan from each relevant operating division and subdivision. The legislation also creates a healthcare industry cybersecurity task force that shall include healthcare industry stakeholders as well as cybersecurity experts, and any federal agencies or entities the Secretary determines appropriate to:

  1. Analyze how industries other than healthcare have implemented strategies and safeguards for addressing cybersecurity threats;
  2. Analyze challenges and barriers private entities in the healthcare sector face in securing themselves against cyberattacks;
  3. Review challenges that covered entities and business associates face in security networked medical devices and other software or systems that connect to an electronic health record;
  4. Provide the secretary with information to disseminate to healthcare industry stakeholders of all sizes for purposes of improving their preparedness for and response to cybersecurity threats;
  5. Establish a plan for implementing so the federal government and healthcare industry stakeholders may in real time share actionable cyber threat indicators and defensive measures; and
  6. Report findings and recommendations to the appropriate congressional committees.

The task force is terminated one year after the date on which it is established.

In addition, the Secretary shall establish a common set of voluntary consensus-based and industry-led guidelines, best practices and methodologies that:

  1. Serve as a resource for cost-effectively reducing cybersecurity risks for a range of healthcare organizations;
  2. Support voluntary adoption and implementation efforts to improve safeguards to address threats; and
  3. Are consistent with the standards and guidelines developed by the National Institute of Standards and Technology Act, the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the provisions of the Health Information Technology for Economic and Clinical Health Act.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© McGuireWoods LLP

Written by:

McGuireWoods LLP
McGuireWoods LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide