Executive Order Delay Trumps Administration Policy Development
President Trump’s first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration’s cyber policy – but that doesn’t mean that this period has been uneventful, particularly for those in the health care space.
The events of the period have cautioned us not to look for an imminent Executive Order. While White House cybersecurity coordinator Robert Joyce recently stated that a forthcoming executive order will reflect the Trump administration’s focus on improving the security of federal networks, protecting critical infrastructure, and establishing a global cyber strategy based on international law and deterrence, other policy demands have intruded. Indeed as the 100-day mark approached, President Trump announced that he has charged his son-in-law, Jared Kushner, with developing a strategy for “innovation” and modernizing the government’s information technology networks. This is further complicating an already arduous process for drafting the long-awaited executive order on cybersecurity, sources and administration officials say.
The Importance of NIST Has Been Manifested Throughout the Hundred Days
The expected cyber order likely will direct federal agencies to assess risks to the government and critical infrastructure by using the framework of cybersecurity standards issued by the National Institute of Standards and Technology, a component of the Department of Commerce.
The NIST framework, which was developed with heavy industry input and released in 2014, was intended as a voluntary process for organizations to manage cybersecurity risks. It is not unlikely that regulatory agencies, including the Office of Civil Rights of the Department of Health and Human Services, the enforcement agency for HIPAA, will mandate the NIST framework, either overtly or by implication, as a compliance hallmark and possible defense against sanctions.
NIST has posted online the extensive public comments on its proposed update to the federal framework of cybersecurity standards that includes new provisions on metrics and supply chain risk management. The comments are part of an ongoing effort to further revise the cybersecurity framework. NIST will host a public workshop on May 16-17, 2017
Health Industry Groups Are Urging NIST to Set up a ‘Common’ Framework for Cybersecurity Compliance
Various health care industry organizations including the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security have asked NIST to help the industry develop a “common” approach for determining compliance with numerous requirements for protecting patient data. Looking for a common security standard for compliance purposes, commenters also argue that the multiplicity of requirements for handling patient data is driving up healthcare costs. Thus, the groups urge NIST to work with the Department of Health and Human Services and the Food and Drug Administration “to push for a consistent standard” on cybersecurity. One expects this effort, given strong voice in the First Hundred Days, to succeed.
The Federal Trade Commission is Emerging as the Pre-eminent Enforcement Agency for Data Security and Privacy
With administration approval, the Federal Communications Commission is about to release today a regulatory proposal to reverse Obama-era rules for the internet that is intended to re-establish the Federal Trade Commission as the pre-eminent regulatory agency for consumer data security and privacy. In repealing the Obama’s “net neutrality” order, ending common carrier treatment for ISP and their concomitant consumer privacy and security rules adopted by the FCC, the result would be, according to FCC Chairman Pai, to “restore FTC to police privacy practices” on the internet in the same way that it did prior to 2015. Federal Trade Commission authority, especially with regard to health care, is not without question, especially considering that the FTC’s enforcement action against LabMD is still pending decision in the 9th Circuit. However, the FTC has settled an increasing number of the largest data breach cases The Federal Trade Commission’s acting bureau chief for consumer protection, Thomas Pahl, this week warned telecom companies against trying to take advantage of any perceived regulatory gap if Congress rolls back the Federal Communications Commission’s recently approved privacy and security rules for internet providers.
OCR Isn’t Abandoning the Field; Neither is DoJ
While there have been no signal actions during the First Hundred Days in either agency. The career leadership of both has signaled their intentions not to make any major changes in enforcement policy. OCR is considering expanding its policies with respect to overseeing compliance programs and extending that oversight to the conduct off Boards of Directors.
The Supreme Court Reaches Nine
Many would argue that the most important, or at least most durable, accomplishment of the Trump Administration to date is the nomination and confirmation of Neil Gorsuch to the Supreme Court. Justice Gorsuch is a conservative in the Scalia mold and is expected to case a critical eye on agency regulatory actions. There is no cybersecurity matter currently on the Supreme Court’s docket, but there will be as the actions and regulations of agencies like the FTC, FCC and DHHS are challenged.