The Health Sector Coordinating Council (HSCC) has come out strongly against the proposed update to the HIPAA security rule, which was put forth by the Biden administration in its final days. Instead, HSCC is advocating for a more collaborative approach involving healthcare sector leaders to develop cybersecurity requirements that are both realistic and achievable.
Greg Garcia, the executive director of cybersecurity at HSCC, emphasized the need for flexibility in allowing healthcare organizations to determine how best to improve their cybersecurity measures. He highlighted the importance of moving towards higher standards of accountability to enhance cybersecurity across the healthcare sector and ultimately improve patient safety.
The main concern raised by HSCC members, including 52 healthcare industry groups, was that the proposed HIPAA security rule update was either too stringent or too vague, making compliance both difficult and costly. This uncertainty surrounding compliance could potentially undermine the effectiveness of cybersecurity efforts in the sector.
Garcia referenced previous successful collaborations between government and critical infrastructure sector leaders, such as the development of the National Institute of Standards and Technology’s cybersecurity framework in 2014. Drawing on this precedent, HSCC proposed a one-year collaborative effort to work with federal regulators in establishing cybersecurity best practices for the healthcare sector.
The goal of this collaborative effort is to move away from rigid regulations imposed by a few government officials and instead engage in open negotiations to develop cybersecurity requirements that are practical and effective. By involving a wider range of stakeholders in the process, HSCC aims to create a more inclusive and adaptive cybersecurity framework for the healthcare industry.
In an audio interview with Information Security Media Group, Garcia also discussed the Trump administration’s response to HSCC’s proposal, the reasons behind industry opposition to the proposed HIPAA security rule update, and the potential alignment of HHS’ Cybersecurity Performance Goals with HSCC’s Health Industry Cybersecurity Practices.
Furthermore, Garcia highlighted existing resources and best practices available to healthcare organizations to enhance their cybersecurity programs. He also emphasized the importance of cybersecurity information sharing legislation that is set to sunset in September unless reauthorized by Congress, as well as other key cybersecurity challenges facing the healthcare sector.
Prior to his role at HSCC, Garcia served as the nation’s first Department of Homeland Security assistant secretary for cybersecurity and communications. With his extensive experience in both the public and private sectors, Garcia brings a wealth of knowledge and expertise to the ongoing discussions surrounding healthcare cybersecurity and privacy issues.