Senate passes CISA for coordinated cyberthreat sharing

The Senate voted 74-21 in favor of the Cybersecurity Information Sharing Act of 2015 which incentivizes companies to share cyberthreat data with the government.

Hospitals and health systems would get liability protections when they share cyberthreat data with the government in an effort to improve its detection, mitigation and response to such issues.

While critics said the bill would do little to strengthen cybersecurity and protect individuals' personal information, several medical associations voiced their support. 

In a joint statement, CHIME and the Association for Executives in Health Information Security said CISA is a significant advancement in cybersecurity that will better enable CIOs and CISOs to protect patient health information. The associations are "especially encouraged that the Senate-approved bill includes language that would establish a cybersecurity framework specifically focused on health care and instructs [HHS] to identify a specific leader on cyber preparedness.”

The Health Information Trust Alliance also supports the bill, which "recognizes the importance of a health industry specific cybersecurity framework as well as associated guidance and best practices."

HIMSS also expressed its support, citing the creation of an industry task force charged with developing a plan to ensure healthcare leaders have access to actionable cyberthreat information, through a single source, at no cost.

“The healthcare community will further benefit from the establishment of a common set of security and risk management best practices that can be implemented consistently across the sector and mapped to a single, voluntary, national health-specific cybersecurity framework,” according to the association’s statement.

However, not everyone is pleased with the bill. CISA is a "a huge step backwards" for privacy rights, according to Greg Nojeim, senior counsel at the Center for Democracy and Technology. "Now, more personal information will be shared with the [National Security Agency] and with law enforcement agencies, and that information will certainly be used for purposes other than enhancing cybersecurity.”

Under CISA, a task force of health industry leaders and cybersecurity experts will identify challenges and solutions for cybersecurity and create a central, federal resource on cyber intelligence for rapid response to active threats. The Department of Health and Human Services will appoint an official charged with coordinating health cybersecurity efforts. HHS also will produce reports on emerging healthcare cyberthreats and create best practices for healthcare providers to follow data security measures.