The hospital field may not be directly identified in recent executive branch action on cybersecurity, but that doesn’t absolve hospital leaders from shoring up their defenses and paying close attention to what’s happening on the national stage.
Last week, President Obama signed an executive order aimed at improving information sharing within the private sector and with the government. The order calls for a clearinghouse where companies and the government can compare notes about cyber threats. That comes a month after the administration proposed the Personal Data Notification & Protection Act. Among other things, the legislation seeks to force companies to more rapidly disclose a data breach. Currently, the legislation wouldn’t immediately impact HIPAA-covered entities, according to legal sources. It would, however, have implications for stolen employee data.
Taken together, the initiatives seem to be an indication that the administration is pushing for greater transparency of cyber risks. Stephen Cobb, senior security research at ESET, a San Diego-based IT security firm, says it is not yet clear how Information Sharing and Analysis Centers formed by the executive order will differ from existing Information Sharing and Analysis Centers.
Washington attorney Adam Greene of Davis Wright Tremaine says hospitals and health systems could benefit from greater opportunities for sharing information. “Ultimately, the intent is to insure the continued availability of crucial infrastructure,” he says.
In a recent blog post, Cobb and his colleague Cameron Camp suggest health data is vulnerable at four levels, each have different consequences. For instance, basic information such as name and email addresses can be used for data mining and spam attacks. At the highest level, medical information can be used for billing fraud and acquiring prescription drugs.
As detailed in this article in the February issue of H&HN, hospitals are taking steps to mitigate the risk of a data breach.