The CEO of a leading healthcare cybersecurity organization HITRUST Daniel Nutkis is worried that the new efforts to improve the cybersecurity by federal interfere with the methods being practiced by the private sector.
Daniel Nutkis, during a hearing before the Senate Committee on Homeland Security and Governmental Affairs on Wednesday, raised a question on the very purpose of a new cybersecurity communications center.
Daniel Nutkis also argued in written testimony, that his organization has worked in past with Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). He said that this serves as a prototype for HHs’s new Health Cybersecurity and Communications Integration Center (HCCIC).
In fact, HITECH was surprised to know about HHS creating its own center.
He argued that new guidelines for NIST’s Cybersecurity Framework are based on the guidelines developed by the private sector and further wrote,
“Clear guidance and communication should be established to ensure private sector activities are supported and not duplicated by government programs,”
Daniel Nutkis also condemned HHS’s enforcement approach. He clashed with the random compliance audits conducted by the HHS Office for Civil Rights. He stated that these have forced hospitals to divert energy and resources to compliance.
He put forth a new policy that would exempt facilities that meet certain minimum privacy and security standards from OCR audits.
According to this policy, if safe harbors are provided, it would provoke facilities to adopt cybersecurity best practices. These, in turn, would allow regulators to focus on providers with the biggest compliance concerns.
In favor of his policy he wrote,
“This approach would create cost savings to the industry by not having to prepare for unnecessary government audits, and save government resources by not using taxpayer dollars to assess organizations that can already demonstrate compliance.”
Federal cybersecurity officials and industry experts also said it is high time to defend against constant attacks. Leo Scanlon HHS deputy chief information security officer said the HCCIC was “an integral part” of the response to the WannaCry attack and the government’s ability to disseminate information to providers.
HHS is looking for a new approach to its data breach portal known as the “wall of shame” that could limit the amount of time healthcare systems are posted to the site.
Date: June 22, 2017