The recent decision of the U.S. Department of Health and Human Services to build a healthcare-specific cybersecurity communication center “raises some important issues,” said HITRUST CEO and Founder Daniel Nutkis.

In his prepared statement to the U.S. Senate Committee on Homeland Security & Governmental Affairs on Wednesday, Nutkis expressed concern and ultimately confusion over HHS’ decision, as it appears the role of the Healthcare Cybersecurity and Communications Integrations Center “parallels the intended role and capabilities of an Information Sharing and Analysis Organization.”

“Clear guidance and communication should be established to ensure private sector activities are supported and not duplicated by government programs,” Nutkis said.

[Also: HHS task force says healthcare cybersecurity in 'critical condition']

Nutkis also expressed further concern at HHS current efforts on “yet another healthcare-based implementation guide of the NIST Cybersecurity Framework.”

The Health and Public Health Sector Coordinating Council and Government Coordinating Council worked with HITRUST and the Department of Homeland Security Critical Infrastructure Cyber Community to create the healthcare specific guide to the NIST Cybersecurity Framework.

The guide provides a sound cybersecurity program with the necessary five core functions of the framework and how it relates to healthcare organizations. It’s continuously updated to ensure it’s easily adopted and applicable.

“We state these points in an effort to highlight that not only is the HITRUST CSF already the most widely accepted cyber resilience framework in healthcare with tens of thousands of organizations having adopted it -- it also has support in other areas of government, as well as other industries,” said Nutkis.

[Also: You were warned: Ransomware experts saw this coming]

“We’re perplexed as to why HHS would not partner with the industry by leveraging programs we already have in place and offering assistance to improve them, instead of replicating and dismissing the hard work of the industry,” he said.

And when it comes to the dreaded HIPAA audits done by the Office of Civil Rights, Nutkis recognized the importance of HIPAA compliance -- but condemned the random audits as distracting.

Random audits force organizations to divert attention and resources from improving security programs to preparing for a random OCR audit.

“Under the current audit model, OCR is using its limited resources to audit organizations that have already implemented appropriate privacy and security controls and conducted required risk assessments, for which OCR has no visibility,” Nutkis said.

Instead, policymakers should consider a more positive system, where organizations can demonstrate HIPAA-compliant, comprehensive information security programs and can receive “some form of safe harbor,” he said. And HIPAA audits will instead focus on the organizations that can’t demonstrate compliance.

“This approach would create cost savings to the industry by not having to prepare for unnecessary government audits and save government resources by not using taxpayer dollars to assess organizations that can already demonstrate compliance,” said Nutkis.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn