HHS's New 5-Year Strategic Plan Includes Cyber GoalsObjectives in Draft Include Ensuring Data Privacy, Integrity
The Department of Health and Human Services has issued a draft five-year strategic plan for 2018 to 2022, a broad-ranging document that includes objectives for protecting "the safety and integrity of human, physical and digital assets."
HHS is accepting comments on the document until Oct. 27.
The plan is a wider-ranging document than the more narrowly focused four-year information technology strategic plan issued earlier by HHS CIO Beth Anne Killoran (see HHS Strategic Plans Spotlights Cybersecurity, Privacy).
All of HHS's various divisions are expected to contribute to achieving objectives laid out in the plan, including "protecting information technology systems, data, and sensitive information, and preventing, detecting, mitigating, and responding to cybersecurity events," the plan notes. HHS says that involves:
- Maximizing enterprise-level data access and security for stakeholders while ensuring data integrity and privacy in support of streamlined program flexibilities, accountability and information exchange;
- Ensuring stronger authentication of privileged users to support application security;
- Improving the sharing of intelligence with federal and private sector partners to improve situational awareness and reduce cyberthreats;
- Maximizing data access and usability to internal and external users while protecting data confidentiality, integrity and availability, including beneficiary privacy;
- Promoting integration of electronic data systems to increase efficiency and minimize redundancy while maintaining appropriate standards for identity management and the protection of personally identifiable information and protected health information;
- Using a priority-based risk management approach that focuses on the protection of sensitive data, including PII and PHI data sets, high-value assets and mission-essential systems.
In addition, the plan touches upon other privacy and security issues. For instance, HHS aims to:
- Address the barriers, real or perceived, under HIPAA and 42 CFR Part 2, to the sharing of mental health and substance use disorder information, through health information exchange, or otherwise, with other healthcare providers and with family members and friends of persons suffering with such illnesses. 42 CFR Part 2 pertains to federal programs for mental health and substance abuse care.
- Support the private and secure collection, maintenance, analysis and sharing of information to improve surveillance and expand the evidence base for high-quality care and rapid interventions, through HIPAA rules and guidance.
Overall, the privacy and security objectives outlined in the new HHS plan sound similar to themes in the more detailed IT strategic plan that was released in March.
Top goals of that IT plan include protecting critical systems and data; improving the security and privacy posture of data and information systems; effectively preventing, monitoring and rapidly responding to emerging threats and vulnerabilities; and prioritizing cybersecurity investments through a risk-based approach.
Some privacy and security experts say the inclusion of cyber and privacy objectives in HHS's broad strategic five-year plan is critical, but time will tell if these goals can actually be achieved.
"Like most government agencies, HHS is recognizing the increasing threats presented by cybersecurity concerns," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "It is certainly important to focus significant attention on these issues, but that's not - by itself - going to be enough. HHS also will need to focus attention - and focus the healthcare industry's attention - on the full package of data security and cybersecurity risks to ensure that both personal data and individual health is appropriately protected."
Nahra would like HHS to pay "more aggressive attention" to a better approach for integrating existing regulations in the healthcare area, both at the federal and state levels.
For instance, while there have been recent proposals to bring privacy provisions of 42 CFR Part 2 regulators and the Common Rule for medical research "closer to the HIPAA standard," there still are significant differences, Nahra says. "In my view, both patients and the industry would be better off with a more consistent approach. In addition, as new sources of information grow, and new methods for evaluating health care success evolve, developing a regulatory approach that integrates these efforts beyond the traditional approach of HIPAA also will be critical."
HHS's plan appears to align with at least some of the recommendations made in an HHS cyber task force report issued earlier this year, says David Finn, the executive vice president at security consultancy CynergisTek who's a member of that task force.
"The strategic plan draft addresses some specific things called out in the task force report for the industry as a whole: stronger authentication, best practices in identity and accesses management and utilizing best practices from other federal agencies," he notes. "The task force called out development of and sharing best practices across the industry. If someone has figured out how to make a wheel, you shouldn't have to make one every time the need arises."