The Cybersecurity Act of 2015 was designed to create a bridge between the Department of Homeland Security (DHS) and its National Cybersecurity & Communications Integration Center (NCCIC) to ease and secure cybersecurity-related information sharing that can be private or public. It was signed into law on December 18, 2015, by then-president Obama, and is considered the most important cyber-related federal law passed to date that facilitates cybersecurity-related information sharing between private sector companies and federal government organizations in a secure way, having a set mechanism. The Cybersecurity Act 2015 outlines NCCIC's role in assessing and reacting to cybersecurity risks and threat indicators. It gives authority to the president of the country to transfer control to deal with the cybersecurity threat to an entity other than NCCIC, even outside the DHS, except to the Department of Defense.
Key Provisions of the Cybersecurity Act of 2015
The following are some key provisions of the Cybersecurity Act of 2015:
- It contains prerequisites to evaluate the federal government's cybersecurity workforce, and provisions to strengthen and maintain cybersecurity for federal agencies and enforce measures intended to enhance the preparedness of critical information systems and networks that improve cybersecurity.
- It also provides protection to private entities from liabilities that share cybersecurity information in accordance with set protocols.
- It has the power to grant authority to various entities to operate and monitor defensive measures and information systems for the purpose of cybersecurity, including those entities outside the federal government.
Role of Cybersecurity for Healthcare
In today's world, where all the information of an individual and the involved stakeholders is being stored electronically, including in the healthcare industry, cybersecurity for healthcare plays a vital role in protecting this healthcare information for the seamless functioning of a healthcare organization.
The following are some of the information systems which are commonly used by healthcare organizations and require healthcare cybersecurity:
- EHR systems
- Clinical decision systems
- Practice management systems
- Radiology information management systems
- Computerized physician order entry systems
Moreover, devices that are managed by the Internet of Things (IoT) that include smart elevators, smart heating, ventilation systems also need to be protected and the responsibility of their protection falls onto the healthcare cybersecurity department.
Some of the cybersecurity threats to a healthcare organization can be through the following:
- Email threats like phishing
- Physical security
- Threat to Legacy systems
- Threat to other stakeholders, like patients and workforce members
The Launch of the HHS 405(d) Website
To fight cyber-related crime effectively and efficiently, the Department of Health and Human service (HHS) in collaboration with the Office of Information Security (OIS) and the Office of Chief Information Officer (OCIO) has launched a website because they have agreed that the most effective path to fight a cybersecurity threat is to fight the threat together. The website for HHS 405(d) Aligning Health Care Industry Security Approaches Program was developed in partnership with the HHS 405(d) Task Group, and it includes over 150 individuals from the healthcare industry and the federal government agencies. The HHS 405(d) Program was created as a response to the Cybersecurity Act of 2015, under which HHS initiated the CSA 405(d) Task Group. The purpose of this group is to align the industry practices that strengthen cybersecurity and develop a common set of industry-led cybersecurity guidelines that healthcare institutions can use to prevent cyber threats. 405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) gives details of these guidelines.
The department/offices have worked tirelessly by collaborating with each other to develop this website, which serves as an effective tool in fighting cybercrime. The 405(d) Program, by means of this newly developed website, upholds the motto that Cyber Safety is Patient Safety.
The HHS 405(d) website equips the public and private healthcare sectors by offering the following:
- Impactful videos and tools that can create awareness about cyber threats and provide best practices for implementing cybersecurity
- Healthcare resources such as infographics and posters for cybersecurity
- Recorded webinars
- Newsletters related to HHS 405(d) published in bi-monthly installments
- Cyber threat-focused tools to aid in training efforts and increase cybersecurity awareness
- A common platform for various stakeholders involved with the cybersecurity of the Healthcare industry
In the future, this website will be the platform where all the new products or tools that will be developed to tackle cyberthreats by the 405(d) Task Group will be featured.
Conclusion: Improving Healthcare Cybersecurity Through the HHS 405(d) Website
As more and more information is getting digitized, cybersecurity for healthcare has become an integral part of the healthcare system. It is clear that as the cyber threats are getting more and more sophisticated and frequent, there is a need for all the involved stakeholders to come together and tackle the menace. The HHS 405(d) website can help serve as a great tool for now and for future cyberattacks, and can help create awareness and educate the involved stakeholders. It is an easily-accessible space, where the healthcare industry can find sophisticated and updated cybersecurity information related to the public and private health sectors.