Recent cybersecurity legislation to put on your reading list

With cyberattacks on the rise, the Strengthening American Cybersecurity Act is an item not to overlook.

The Strengthening American Cybersecurity Act, which passed in the Senate on March 2, 2022, could have ramifications for the healthcare industry. First, a bit about the legislation. It is comprised of the following:

• Cyber Incident Reporting for Critical Infrastructure Act of 2022
• Federal Information Security Modernization Act of 2022 (FISMA 2022)
• Federal Secure Cloud Improvement and Jobs Act of 2022
• Cyber Incident Reporting for Critical Infrastructure Act of 2022
• Federal Information Security Modernization Act of 2022
• Federal Secure Cloud Improvement and Jobs Act of 2022

For those unfamiliar with the Federal Information Security Management Act of 2002 (FISMA) and the Federal Information Security Modernization Act of 2014 (also FISMA, which enhances and clarifies the 2002 FISMA), require U.S. Government agencies to implement information security controls using a federal risk-based approach to information security assessment. The primary framework for FISMA compliance is detailed in NIST SP 800-53 (rev. 5). FISMA 2022 builds on the previous FISMA laws. Importantly, FISMA applies to government contractors, if they operate federal systems, such as cloud-based platforms.

When providers sign a CMS Form 855 or its electronic counterpart PECOS, for example, there is no express requirement to adhere to FISMA. Having said that, if a cloud provider or an EHR is contracting with the State Department, the Department of Defense, or the Veteran’s Administration, then that is a different procurement process, which has an express provision for complying with FISMA. FISMA also extends to government contractors who subcontract with cloud providers and EHR vendors, so ensuring that all the requisite technical, administrative, and physical safeguards set forth in HIPAA Security Rule, as well as the NIST counterparts, are critical for making truthful attestations.

Another section includes important definition, which appears in Section 3598 of the SACA is the term "major security incident" which is distinct from a definition of "breach" under CFR §164.402 of HIPAA, which states,“[t]he acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.” The best course of action is always to err on the side of the shorter timeframe and incorporate the requirements into relevant policies and procedures, as well as enterprise risk management programs.

While we think of critical infrastructure as being relevant to all hospitals – both private and public, neither HIPAA nor hospitals are expressly mentioned in SACA. HHS-OCR is tasked with enforcing civil liberties, as it relates to a person's protected health information. And, protecting the "civil liberties or public health, and safety of the people of the United States" is expressly stated. It is crucial to watch for the developments and guidance regarding the term "major incident."

Finally, there is a lot of chatter surrounding the shortened breach reporting periods. For those in the healthcare industry who either fall under HIPAA or the Federal Trade Commission’s Breach Notification Rule, the notion of shorter reporting periods should not come as a shock because many states have enacted shorter reporting periods. Second, it is imperative to read SACA § 3592 – Notification of Breach. SACA differs from HIPAA in its language for reporting to a government agency and to any individual potentially affected by the breach, so read it closely. In closing, this is a piece of legislation to stay apprised of. Now is a good time to ensure that an organization’s Breach Notification Policies and Procedures are updated to reflect the most current state reporting requirements, as well as ensuring that the requisite annual Risk Analysis is done to assess technical, administrative, and physical safeguards.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.