Tucked inside the $1.1 trillion fiscal year 2016 omnibus spending package President Barack Obama signed into law last Friday was the Cybersecurity Act of 2015, a bill which establishes a voluntary framework for public, private and government organizations to share information on cyberthreats.
Here are seven things to know about the Cybersecurity Act of 2015.
1. There are two components to the Act. Title I is "Cybersecurity Information Sharing" and Title II is "National Cybersecurity Advancement." The first section establishes the main information sharing framework, and the second outlines requirements and guidelines for the federal government on establishing cybersecurity-related improvements.
2. The Department of Homeland Security will be the key agency serving as a portal for information threat sharing, but President Obama can designate another agency to fill this role in the event DHS is unable to with a 30-day notice to Congress explaining why the new agency overseeing the processes is necessary and appropriate. The president may not designate the Department of Defense to this role.
3. Central to the bill is organizations that share information related to cybersecurity and cyberthreats are provided liability protections and an antitrust exemptions, so "no cause of action shall lie or be maintained in any court against any private entity" for voluntarily sharing information.
4. Critics of the bill say while the law offers legal protection to companies sharing information with the government, it still allows law enforcement to directly access customer data. In a blog post for the Center for Democracy and Technology, Greg Nojeim and Jadzia Butler write, "The bill allows the president to designate other 'appropriate' civilian federal entities as information sharing portals, leaving room for scenarios in which companies would share — with full liability protection — information from Internet users' communications directly with federal entities such as the FBI and other agencies primarily concerned with law enforcement surveillance, not cybersecurity."
5. According to the Associated Press, businesses and governments must remove personal identifiable information from threat data before sharing that information with the government. There are two steps to the scrub: The company sharing the information performs the first scrub when sharing the information with Homeland Security, and DHS performs the second scrub when passing the information on to other agencies. However, there are some scenarios in which PII may be passed on, like if the cyberthreat relates to a loss of life, economic damage or injury or exploitation of a minor.
6. CHIME and HIMSS are two healthcare organizations who voiced support for the bill. HIMSS said the Cybersecurity Act of 2015 will advance the industry's efforts to address the health IT cybersecurity landscape. "HIMSS has consistently called for the need to ensure a single pipeline of actionable, real-time cyber threat data to healthcare leaders and facilitate a consistent implementation of a common set of security and risk management standards and best practices across the sector," the organization said in a statement.
7. CHIME mentioned how the bill will help IT executives in safeguarding patient data. "Healthcare chief information officers and chief information and security officers are tasked with the daunting job of protecting patient information in a highly digital environment," according to a CHIME statement. "The Cybersecurity Act of 2015 will allow CIOs and CISOs to share threat indicators and suspected vulnerabilities through a secure national information-sharing infrastructure with the necessary liability protections in place and will not risk patient trust."
More articles on health IT:
Cleveland Clinic CIO Dr. C. Martin Harris on decision-making and leadership
UW Medicine reaches $750,000 HIPAA settlement for 2013 breach
6 EHR vendor switches in 2015