What is Cybersecurity Information Sharing Act of 2015?
On October 27, 2015, the Senate passed the Cybersecurity Information Sharing Act (CISA
). This very controversial measure encourages but does not require businesses and government agencies to share information related to malicious hackers and their methods. Many in the technology community agree that although the intent of the bill is good, the implementation is terrible.
Analysis of the CISA Cybersecurity Bill
This dialogue surrounding the CISA has been going on for more than a decade. High-profile cyber security breaches at many companies in 2015 and earlier have finally helped focus attention on action. Regrettably, with the current hysteria of recent acts of cyber terrorism, the federal government tends to be more reactive than proactive.
Most privacy advocates, large technology companies and cyber security experts are opposed to CISA. In essence, their position is that CISA may only encourage more government surveillance, since data can be used by the NSA and others to spy on citizens. Since there is no liability for companies handing over data, there is no real incentive to make sure that all personal information is removed. Previous versions of the CISA bill exposed companies to liability and privacy concerns if they had to hand over data to the government. The final bill waives liability to lawsuits. However, due to late changes in the bill, there are no measures that require or guarantee that businesses or governments remove meta data that could be passed along and used to identify individuals. As a practical matter, removing meta data can be a difficult task to automate.
CISA does not address the real root cause of the problem, which is unpatched hardware and software, malware and lack of using encryption when it is appropriate. Also, since there is no mandatory participation, it is difficult to see how real results may be achieved. There are benefits to encouraging the sharing of information, but the implementation of the bill makes this sharing optional. There are a lot of technology products used by modern healthcare organizations and hospitals, so information sharing regarding possible threats can be helpful. There is a great deal of complexity in keeping hardware and software updated to prevent hackers from penetrating the security of a healthcare organization. It is difficult for both large and small healthcare organizations to keep up with patching their systems, as bugs and security holes are constantly being identified in infrastructure and software. When an actual breach happens, it is very often due to not utilizing information already available, since it is so voluminous and changing on a daily basis.
In some ways, provisions of the CISA Act are redundant, as today there are government and private organizations that help with providing security vulnerability information. For example, The Department of Homeland Security already established its U.S. Computer Emergency Readiness Team in 2003. The objective of this agency is to share information with other government agencies and the commercial sector. CISA does not outline how the commercial sector can actually access the data collected.
How Does the CISA Law Affect Healthcare Organizations and Hospitals?
Healthcare organizations have to get involved and spend resources to understand all of this. In other words, if a hospital or healthcare organization deems that it has been subject to a mere cyber security threat, it can hand over related data to other private organizations as well as governments without any penalties, if it does not remove individually identifying information such as PHI. Essentially, HIPAA policies and procedures can be violated with no liability to these healthcare organizations.
Ultimately, the patient is the loser. Healthcare organizations need to establish policies and procedures that ensure that any data handed over is properly scrubbed of any PHI. This is going to require technology and legal resources as well as leadership time and attention, which is a scarce resource in so many healthcare organizations. Many hospitals are deep in the process of either converting from paper to eHealthRecords (EHR) or are working through the technical fallout from making a conversion that may take years of attention and resources.
Hospital and healthcare organizations are on their own to actually determine what is indeed a security threat. Each day almost every secured network is prodded and poked at by bad actors looking for security holes to exploit. Healthcare organizations need to establish criteria that constitutes a cyber security, which they can report to others and/or the government.
CISA does not have any mandatory reporting requirements—and that is a key flaw. Since participation is optional, it really has no "teeth" and runs the risk of actually causing more problems. Since there are no reporting thresholds established, there actually may be little information sharing. Also, people generally have a tendency to not want to share information about critical vulnerabilities, especially until they are fixed. Informing third parties about vulnerabilities is inherently risky, as this information could be compromised via an unsecured communication channel such as standard email or telephone. This information could easily get in the hands of bad actors. On the other hand, in the time it may take an organization to fix an issue before reporting it, the security of many more organizations could be compromised. Information sharing about security is not as easy as it sounds.
Perhaps a better solution would be to have the government offer financial incentives (i.e. reimbursements) for implementing higher security standards and for passing rigorous intrusion/penetration testing. This is a more proactive approach in preventing problems. In essence, have private and government organizations pool their security expertise and use this as a preventative measure by doing what the industry calls "ethical hacks." These are planned attempted hacks that the hacker and hackee both know about and perform with the objective being identifying security vulnerabilities before bad actors have a chance to do so.