TRENDING:

HHS Seeks Speedy OK of Breach Rule

Health Insurance Exchanges Would Face 1-Hour Deadline Howard Anderson (ismg_editor) • August 21, 2013    
HHS Seeks Speedy OK of Breach Rule

The Department of Health and Human Services is seeking speedy approval of its controversial proposal to require state health insurance exchanges to report data breaches within one hour of discovery.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

In an Aug. 21 notice in the Federal Register, HHS' Centers for Medicare and Medicaid Services asks the Office of Management and Budget, which reviews the impact of regulations, to approve the proposal by Sept. 25, followed by a 180-day comment period. State health insurance exchanges, a key component of federal healthcare reform, are slated to begin operations for open enrollment by Oct. 1.

The breach notification requirement was originally unveiled June 19 as part of a lengthy proposed rule governing health insurance exchanges (see: 60 Minutes to Report a Breach?).

"We are requesting an emergency review ... because public harm is reasonably likely to result if the normal clearance procedures are followed," the Aug. 21 notice states. Without the emergency approval, "a significant number of incidents will not be detected, therefore causing harm and potential risk [of] ... identity fraud."

Proposal Criticized

Critics of the proposal, including independent security consultant Tom Walsh, say it's unrealistic. "It's far different from some state laws, and the [HIPAA] healthcare breach notification rule, which wants the notification as soon as possible, or 'without unreasonable delay,' but no later than 60 days," he notes.

"The investigation of any type of reported incident or possible breach takes time," Walsh adds. "Those responding to the incident must be careful not to accidentally alter or destroy forensic data. The simple act of rebooting a computer could alter the audit trail and the investigation. Heck, it could easily take an hour just to assemble a knowledgeable incident response team."

Conducting a thorough and accurate investigation typically takes one week, on average, Walsh says.

Curt Kwak, CIO of the Washington state health insurance exchange, said in a recent interview: "From my perspective, I don't believe this will become final because we don't believe it's realistic." He added: "This level of ruling will force us to be less efficient and most likely impact the usability of the system and our ability to support the system as well."

But if the requirement, in fact, goes into effect, Kwak says his state's health insurance exchange will adjust. "We will obviously need to augment our staff and tighten our environment even more," he says, "but that will probably constrict the operation efficiency of our environment."

Previous
Security Benchmarks for Medical Devices
Next
NIST Drafting Supply Chain Guidance

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.



Around the Network

Addressing Security Gaps and Risks Post-M&A in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
How Generative AI Will Improve Incident Response
How Generative AI Will Improve Incident Response
Why Connected Devices Are Such a Risk to Outpatient Care
Why Connected Devices Are Such a Risk to Outpatient Care
Using AI to Separate the Good Signals From the Bad
Using AI to Separate the Good Signals From the Bad
Generative AI: Embrace It, But Put Up Guardrails
Generative AI: Embrace It, But Put Up Guardrails
Threat Modeling Essentials for Generative AI in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Why Entities Should Review Their Online Tracker Use ASAP
Why Entities Should Review Their Online Tracker Use ASAP
Critical Considerations for Generative AI Use in Healthcare
Critical Considerations for Generative AI Use in Healthcare
The State of Security Leadership
The State of Security Leadership
What's Behind Disturbing Breach Trends in Healthcare?
What's Behind Disturbing Breach Trends in Healthcare?

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.