Blogs

Big Brother is Watching: The Cybersecurity Information Security Act

By David Harlow posted Wed December 23,2015 12:40 PM

  

 

Well, here we are. A newly-selected Speaker of the House, beholden to a right-wing minority faction, appears to have broken faith with his broader constituency in the course of brokering his first budget deal. Setting aside for the moment the question of delaying implementation of two key funding mechanisms in the Affordable Care Act (i.e., deliberately underfunding health reform which, while we can debate the merits of the specific funding mechanisms, has proven to be a successful program that really should be supported, not undercut, by Congress), the 2016 federal omnibus budget deal has more broadly undercut the Speaker’s professed fiscal perspective.

There are many faults to be found both in the content of the budget and in the methods by which substantive legislation was slipped in late in the day, and this is not the place for a full cataloging of these issues. Focusing on the latter problem, most folks serious about a balanced approach to developing national policy would agree that — despite the appeal when an opportunity arises to promote a pet project through this mechanism — slapping riders onto must-pass legislation is no way to manage the nation’s business. This is particularly true where the rider in question — the Cybersecurity Information Sharing Act — has been debated over an extended period, yet has not been finalized because of some significant points of contention that remain.

The insomniacs out there can read the full text of CISA (it’s about 100 pages long, starting on page 1728 of the 2016 omnibus budget act). Those who need more sleep can read the summary of the version that passed the Senate in October 2015. (Just bear in mind that there are some changes in the final version.)

The Electronic Frontier Foundation had this to say about the Senate version of CISA this fall:

The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities [and] its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.

[Nothing] could fix the fact that CISA doesn’t address the real cybersecurity problems that caused computer data breaches like Target and the U.S. Office of Personnel Management (OPM).

The passage of CISA reflects the misunderstanding many lawmakers have about technology and security. Computer security engineers wereagainst it. Academics were against it. Technology companies, including some of Silicon Valley’s biggest like Twitter and Salesforce, were against it. Civil society organizations were against it. And constituents [were against it].

Senator Ron Wyden called the final version of CISA slipped into the budget bill worse than the Senate version described in the summary linked to above:

Unfortunately, this misguided cyber legislation does little to protect Americans’ security, and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers’ private data with only cursory review.

Ultimately, I cannot vote for this badly flawed CISA bill. The latest version of CISA is the worst one yet – it contains substantially fewer oversight and reporting provisions than the Senate version did. That means that violations of Americans’ privacy will be more likely to go unnoticed. And the Intelligence Authorization bill strips authority from an important, independent watchdog on government surveillance, the Privacy and Civil Liberties Oversight Board. This will make it easier for intelligence agencies – particularly the CIA – to refuse to cooperate with the Board’s investigations. Reducing the amount of independent oversight and constricting the scope of the PCLOB’s authority sends the wrong message and will make our intelligence agencies less accountable.

The multi-agency regime required by CISA is likely to further marginalize US-based companies in the eyes of the EU and the rest of the world in what looks like a misguided effort to improve national security. It seems to me that this approach is likely to undercut the reported negotiations underway to rehabilitate the US approach to cybersecurity and privacy post-Snowden which has led to the EU finding that data stored in the US is, by definition, not private or secure, because the NSA has access. (See the judgment of the European Court of Justice invalidating the safe harbor rule. Official presser here.)

The section of CISA focused on HHS calls on the Secretary to do little more than what HHS is already doing or should be doing without being told to do so by Congress. Here are the particulars:

In consultation with the director of the National Institute of Standards and Technology and the Secretary of Homeland Security, HHS would be required to form [a] taskforce within 90 days of enactment of the bill. That taskforce would examine how industries other than healthcare deal with cybersecurity threats.

The task force would also be in charge of:

  • Analyzing challenges for private healthcare entities to securing themselves against cybersecurity attacks
    Reviewing hurdles for covered entities and business associates for securing networked medical devices and software that connects to electronic health record systems
  • Providing the HHS secretary with information to disseminate to industry stakeholders on preparing for and dealing with digital threats
  • The taskforce would be responsible for implementation of the aforementioned report, which HHS would need to deliver to the Senate’s Committee on Health, Education, Labor and Pensions, as well as the House Committee on Energy and Commerce, within one year of the bill’s enactment.

The report must include:

  • Acknowledgement of the individual charged with leading efforts against cybersecurity threats in the healthcare industry
  • Plans from each relevant operating division or subdivision within HHS on how they intend to combat cybersecurity threats

The notion of analyzing cybersecurity threats at one point in time via a task force that will sunset out of existence after delivering its report simply is not a realistic response to the dynamic nature of the threat environment today.  By contrast, consider the example of one leader in this arena who is focused on the ever-changing human factors: human ingenuity and human foibles.

To summarize, CISA appears to be more of a victory by fearmongers than anything else. It creates a framework that provides few if any privacy and security benefits to the general public, and instead creates a framework for interagency sharing of information that makes it more likely, rather than less likely, for private information to be inappropriately accessed. The healthcare-specific provisions seem to be too little, too late. Forward-thinking agencies and members of the regulated community are already doing good work in this arena, and while there is certainly room for improvement, it is far from clear that CISA will facilitate such improvement — and any such improvement comes at too great a cost.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Image credit: notionscapital via Flickr CC

Filed Under: Compliance, Health care policy, Health Law, HIPAA, HIT, OCR, Privacy, Security


#HealthLaw
0 comments
78 views

Permalink