New HHS Cybersecurity Initiative: Too Little Too Late?

After years of increasingly dangerous data security and privacy breaches across the American healthcare environment, HHS has decided to take preventative action. On July 25, HHS announced it will fund a new resource that will share “the most up-to-date cyber threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information.”

This is a step forward in strengthening healthcare’s war against cyber criminals, since thus far health-related organizations have been on their own in dealing with them. But the fine print behind the HHS initiative predicts a painfully long and arguably underfunded project that will take years until we see much benefit. Here’s why.

HHS announced that it is offering coordinated grant opportunities through ONC and the office of the Assistant Secretary for Preparedness and Response (ASPR), to provide a “concerted, centralized effort needed to protect the country’s healthcare environment and data.” The dual grants will be awarded to an existing Information Sharing and Analysis Center (ISAC) that is already providing outreach and technical assistance to participating organizations on cybersecurity threats specific to the health care and public health sectors. The grants will  support expansion of the ISAC’s outreach and education capabilities to meet these goals:

• Provide more and better information and education on cyber threats to health data
• Increase education outreach on cyber threats
• Help equip affected organizations with tools to take action on threats
• Facilitate information sharing across the healthcare and public health sector and federal cybersecurity partners

Karen DeSalvo, chief of ONC, said “Establishing robust threat information sharing infrastructure and capability within the health care and public health sector is crucial to the privacy and security of health information, which is foundational to the digital health system.”

The two grants (see Grants.gov) will award the winner a combined $250,000 for the first year of what is described as a five-year initiative with a total of approximately $1.25 million to be provided “subject to the availability of funds and satisfactory performance of the recipient….” Entries by qualified non-profit organizations must be submitted by late August, 2016.

Here’s HHS’ plan: (Or, if you want to skip the year-by-year details, jump down a few paragraphs for a summary.)

• Year 1 (2017): The awardee is to deliver a gap analysis of information sharing within the hospital / public health sector (HPH), develop a concept of operations for sharing between HPH and the federal government, and start developing plans based on this concept.
• Year 2 (2018): Based on the approved concept, the selected ISAC will coordinate with HHS and the HPH sector to expand its communications reach to be able to share threat information beyond its current membership base to the entire HPH Sector. This effort is expected to include expanding the ISAC’s IT and communications infrastructure. The ISAC will also develop a business plan using a tiered membership fee structure for members to receive full outreach benefits. Options for basic information will be created for non-paying members.The ISAC will also work on coordinating communications structures with other organizations including federal cybersecurity partners.
• Year 3 (2019): The ISAC will continue to “develop, implement, evaluate, and refine operational information sharing plans.”
• Year 3 – 5 (2019 – 2021): By this time, the ISAC is expected to begin serving as the main point of contact to support, promote, and enhance information sharing, including being the conduit for private sector entities to share cybersecurity information with federal investigative operations. It also will become the lead organization coordinating analysis and response activities for HPH sector cyber incidents, including developing comprehensive analytical products and creating a more complete picture of cyber threats.

The summary:

It’s fair to say that creating and deploying a nationwide health cybersecurity protection program will not be a simple endeavor. Nevertheless, the outlined project suggests that few if any benefits will be realized by the health care community for up to  three years, as the grant awardee works with HHS  through a painstaking process of gap analysis, concept building, plan design and infrastructure expansion. Further, the funds HHS is allocating seem paltry in comparison to the project’s ambitious size and complexity. It is also worth noting that the objective to eventually share program costs with the private sector through a tiered membership fee structure will prevent many organizations who need the most help from getting it.

In the meantime — right now — many hospitals, practices and other healthcare providers don’t have the resources or information they need to protect themselves from cyber attacks. Healthcare records for one in three Americans were breached in 2015, a dramatic increase over 2014.  Over 80 percent of healthcare executive respondents to a recent Modern Healthcare survey said they expect more cybersecurity attacks in 2016. So far this year, their fears have been justified.

Assistant Secretary for Preparedness and Response Nicole Lurie said during the HHS announcement that with this new bi-directional initiative shared by the federal government and the health care / public health sector, HHS hopes “to build the capacity to better prevent, detect and respond to cyberattacks.”

No one can disagree with that sentiment. But the overall project carries a major downside: no near term benefits. This initiative will proceed over a long, dangerous five year period of innumerable cyber threats. What about solutions for today and tomorrow?

Source