ISA Healthcare Sector Specific Recommendations and the Presidential Commission on Enhancing National Cybersecurity

June 7, 2017

ISA Healthcare Sector Recommendations

Source: Chapter 4 of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity

Presidential Commission on Enhancing National Cybersecurity

Incentivize Healthcare to Implement Best Cybersecurity Practices

“A course shift away from prescriptive regulation and to regulation that encourages security best practices is desperately needed. That encouragement would best be achieved through the strategic application of liability relief and other complementary incentives. What I propose is regulation that would incentivize healthcare companies to aggressively implement security best practices by offering a sliding scale of liability protection on the basis of the company’s progress toward implementing an objective set of practices. The National Institute of Standards and Technology Cybersecurity Framework, and the process used to develop it, could provide a good starting point.

Sector and government coordinating councils should develop a healthcare-specific framework on the basis of research that documents which best standards and practices are most cost effective for the sector and subsectors.

For a level of security necessary for national security but not reasonable for private institutions to provide on a sustainable basis, a new system of market incentives is needed. This is another opportunity to level the playing field through the application of regulatory principles that incentivize desirable behavior. This could be taken further by also offering modest tax incentives for certain high-value, but often-overlooked, security best practices, such as employee awareness training.

The system would also have to adapt to using sliding scales, since it is impractical to expect smaller or rural organizations to fund the same degree of security apparatus as large, urban and multistate institutions.”

Commission Text: The right mix of incentives must be provided, with a heavy reliance on market forces and supportive government actions, to enhance cybersecurity. Incentives should always be preferred over regulation, which should be considered only when the risks to public safety and security are material and the market cannot adequately mitigate these risks.

Commission Action Item 1.4.5: The government should extend additional incentives to companies that have implemented cyber risk management principles and demonstrate collaborative engagement. (SHORT TERM)

Incentives must play a more substantial role in building a cyber-secure nation. To accomplish this goal, the next Administration and Congress should pass legislation that provides appropriate liability protections for businesses that engage in cyber risk mitigation practices that are consistent either with the Cybersecurity Framework or with common industry segment practices, and that engage in cyber collaboration with government and industry. Safe harbors would be particularly appropriate to consider in the context of providing business certainty for companies that operate in regulated sectors. Additional benefits to encourage enhanced cybersecurity might include tax incentives, government procurement incentives, public recognition programs, prioritized cyber technical assistance, and regulatory streamlining. In addition, research and development efforts should specifically include a detailed study of how best to improve network security through incentives.


Reduce Regulatory Complexity

“Congress should pursue legislation that harmonizes privacy, security, and information risk-management requirements to eliminate the complex patchwork of regulations… If a streamlines regulatory framework were in place, [highly valuable] resources could focus more time on actively monitoring and protecting against the daily variable threats.

Streamlining HIPAA audit requirements put into place by the HITECH Act is another place good place security could be incentivized. Audits drain resources from security budgets because money and time must go toward compiling documentation in auditor-friendly ways.”

Commission Action Item 1.4.3: Regulatory agencies should harmonize existing and future regulations with the Cybersecurity Framework to focus on risk management—reducing industry’s cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation. (SHORT TERM)

Commission Text: In the near future, the United States must establish as a norm that technology reliably safeguards sensitive data, such as financial information, health records, and proprietary corporate information, including intellectual property. We need technology that protects the privacy of individuals while still making it possible to provide consumers and companies with immediate access to products and services on demand, even under adverse conditions.

Use Security as a Factor of Reimbursement

“Include security as a factor in reimbursement. The Centers for Medicare and Medicaid currently employs value-based reimbursement modifiers; Congress should allow CMS to consider a similar principle to be applied to healthcare enterprises investing in security.”                Commission Recommendation 1.3: The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.

Commission Action Item 1.3.1: The next Administration should require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication. (SHORT TERM)

Commission Text: Identity management is a major cybersecurity issue for which government can be an effective catalyst for large-scale adoption. The federal government should adopt industry-based capabilities for strong authentication for all external-facing applications that require identity management. Coordinated efforts should immediately be initiated for a variety of external-facing government services, including for… health care programs at the Centers for Medicare and Medicaid Services. The Commission believes strongly that if government requires strong authentication, the private sector will be more likely to do the same.