On December 18, just weeks before the end of 2015, Congress passed its usual Federal Omnibus Government Spending package for the year. Included in this piece of legislation was a certain 2009-page-long document—the Cybersecurity Act of 2015. Luckily for you, I decided to go ahead and do all the grunt work for our readers so that none of you have to read through this monster of a document (FYI—I very nearly froze up my computer trying to download a gigantic PDF file of it, but luckily I found that I could just read it straight off the Congress.gov website instead).
To be honest, I quickly figured out that only about nine pages of this cybersecurity law are actually relevant to healthcare providers (the other 2,000 pages… not so much).
Out of those nine pages, there are around six main items that healthcare providers need to be aware of from the Cybersecurity Act of 2015:
- The law places a two-year hold on the so-called “Cadillac Tax,” which is a forty percent excise tax on any high cost employer-sponsored health insurance plans. This tax was originally supposed to go into effect in 2018, but the new effective date is set for 2020.
- Within a year, the bill requires the Department of Health and Human Services to conduct and submit a report to Congress on both the HHS’s and overall healthcare industry’s readiness when it comes to responding to cybersecurity threats (based on their track record, I predict this is going to be one interesting—or maddening—read).
- HHS is required to select a qualified individual to take the lead on cybersecurity initiatives as well as create detailed methods for dealing with cybersecurity threats in the healthcare industry
- Within 90 days, HHS must become part of a joint cybersecurity taskforce (along with Homeland Security and the NIST). In this taskforce, HHS will be tasked with analyzing actions and protocols related to security issues that affect EHR and interoperability.
- All government agencies must continue to educate shareholders to improve preparedness, while creating action plans for sharing defensive measures and cybersecurity threat indicators between the government and other entities. They must also establish consensus-based, voluntary best practices between all agencies to improve overall security and minimize the impact of cybersecurity threats.
- The Cybersecurity Information Sharing Act will protect the liability of all private sector entities when it comes to sharing and receiving information related to cybersecurity threats. It establishes what PHI (or other personal information) must be removed in order for data sharing to occur, as well as how soon individuals must be notified when their information has been shared.
So it looks like the Cybersecurity Act of 2015 is going to mean a lot of work for a lot of folks in a lot of government agencies in 2016. However, considering the fact that the healthcare industry has seen some of the worst cyberattacks in recent years, this is work that definitely needs to be done.