On October 27, 2015, the Senate passed the Cybersecurity Information Sharing Act (CISA
). This very controversial measure encourages but does not require businesses and government agencies to share information related to malicious hackers and their methods. Many in the technology community agree that although the intent of the bill is good, the implementation is terrible.
This dialogue surrounding the CISA has been going on for more than a decade. High-profile cyber security breaches at many companies in 2015 and earlier have finally helped focus attention on action. Unfortunately, with the current hysteria of recent acts of cyber terrorism, the federal government tends to be more reactive than proactive.
Most privacy advocates, large technology companies and cyber security experts are opposed to CISA. In essence, their position is that CISA may only encourage more government surveillance, since data can be used by the NSA and others to spy on citizens. Since there is no liability for companies handing over data, there is no real incentive to make sure that all personal information is removed. Previous versions of the CISA bill exposed companies to liability and privacy concerns if they had to hand over data to the government. The final bill waives liability to lawsuits. Unfortunately, due to late changes in the bill, there are no measures that require or guarantee that businesses or governments remove meta data that could be passed along and used to identify individuals. As a practical matter, removing meta data can be a difficult task to automate.
Unfortunately, CISA does not address the real root cause of the problem, which is unpatched hardware and software, malware and lack of using encryption when it is appropriate. Also, since there is no mandatory participation, it is difficult to see how real results may be achieved. There are benefits to encouraging the sharing of information, but the implementation of the bill makes this sharing optional. There are a lot of technology products used by modern healthcare organizations and hospitals, so information sharing regarding possible threats can be helpful. There is a great deal of complexity in keeping hardware and software updated to prevent hackers from penetrating the security of a healthcare organization. It is difficult for both large and small healthcare organizations to keep up with patching their systems, as bugs and security holes are constantly being identified in infrastructure and software. When an actual breach happens, it is very often due to not utilizing information already available, since it is so voluminous and changing on a daily basis.
CISA is very significant for healthcare organizations because they have no liability if they hand over PHI that goes to government organizations and eventually other healthcare organizations through sharing. In other words, if a hospital or healthcare organization deems that it has been subject to a mere cyber security threat, it can hand over related data to other private organizations as well as governments without any penalties, if it does not remove individually identifying information such as PHI. Essentially, HIPAA policies and procedures can be violated with no liability to these healthcare organizations.