Obama Administration Deems HHS’ Cybersecurity Rules Effective
May 23, 2014 in News
On Thursday, the Obama administration announced that HHS’ current voluntary measures to protect against cyberattacks are sufficient and that there is no need for additional regulations, FierceHealthIT reports (Hall, FierceHealthIT, 5/23).
A February 2013 executive order required HHS — as well as the Department of Homeland Security and the Environmental Protection Agency — to determine whether their current regulations effectively carried out forthcoming industry cybersecurity standards.
The voluntary standards, which were released in February, include guidelines for recognizing, responding to and recovering from network disruptions related to cyberattacks (Sternstein, NextGov, 5/22).
Details of HHS Assessment, White House Response
In response to the executive order, HHS released a report saying that its current cybersecurity efforts are sufficient and that further regulation is unnecessary.
The report — which was submitted to the National Security Council on Feb. 11 — concluded, “All of the regulatory programs identified [in the HHS Section 10(a) analysis] operate within particular segments of the [Health Care and Public Health] Sector, due to their own distinct legislatively-defined jurisdictions and purposes. Expanding any or each of these authorities solely to address cybersecurity issues would not be appropriate or recommended” (HHS assessment, 5/12).
In a blog post addressing the matter, White House Cybersecurity Coordinator Michael Daniel wrote that the administration’s assessment “doesn’t mean that we don’t have more work to do to secure our critical systems and information throughout the country. Nor does it mean that we can stop working to ensure that regulations as written are clear, streamlined and harmonized.”
Daniel added, “It does mean that agencies with regulatory authority have determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to those systems” (FierceHealthIT, 5/23).