July 27, 2016
After years of increasingly dangerous data security and privacy breaches across the American healthcare environment, HHS has decided to take preventative action. On July 25, HHS announced it will fund a new resource that will share “the most up-to-date cyber threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information.”
This is a step forward in strengthening healthcare’s war against cyber criminals, since thus far health-related organizations have been on their own in dealing with them. But the fine print behind the HHS initiative predicts a painfully long and arguably underfunded project that will take years until we see much benefit. Here’s why.
HHS announced that it is offering coordinated grant opportunities through ONC and the office of the Assistant Secretary for Preparedness and Response (ASPR), to provide a “concerted, centralized effort needed to protect the country’s healthcare environment and data.” The dual grants will be awarded to an existing Information Sharing and Analysis Center (ISAC) that is already providing outreach and technical assistance to participating organizations on cybersecurity threats specific to the health care and public health sectors. The grants will support expansion of the ISAC’s outreach and education capabilities to meet these goals:
Karen DeSalvo, chief of ONC, said “Establishing robust threat information sharing infrastructure and capability within the health care and public health sector is crucial to the privacy and security of health information, which is foundational to the digital health system.”
The two grants (see Grants.gov) will award the winner a combined $250,000 for the first year of what is described as a five-year initiative with a total of approximately $1.25 million to be provided “subject to the availability of funds and satisfactory performance of the recipient….” Entries by qualified non-profit organizations must be submitted by late August, 2016.
Here’s HHS’ plan: (Or, if you want to skip the year-by-year details, jump down a few paragraphs for a summary.)
It’s fair to say that creating and deploying a nationwide health cybersecurity protection program will not be a simple endeavor. Nevertheless, the outlined project suggests that few if any benefits will be realized by the health care community for up to three years, as the grant awardee works with HHS through a painstaking process of gap analysis, concept building, plan design and infrastructure expansion. Further, the funds HHS is allocating seem paltry in comparison to the project’s ambitious size and complexity. It is also worth noting that the objective to eventually share program costs with the private sector through a tiered membership fee structure will prevent many organizations who need the most help from getting it.
In the meantime — right now — many hospitals, practices and other healthcare providers don’t have the resources or information they need to protect themselves from cyber attacks. Healthcare records for one in three Americans were breached in 2015, a dramatic increase over 2014. Over 80 percent of healthcare executive respondents to a recent Modern Healthcare survey said they expect more cybersecurity attacks in 2016. So far this year, their fears have been justified.
Assistant Secretary for Preparedness and Response Nicole Lurie said during the HHS announcement that with this new bi-directional initiative shared by the federal government and the health care / public health sector, HHS hopes “to build the capacity to better prevent, detect and respond to cyberattacks.”
No one can disagree with that sentiment. But the overall project carries a major downside: no near term benefits. This initiative will proceed over a long, dangerous five year period of innumerable cyber threats. What about solutions for today and tomorrow?