President's Proposed 2020 Budget: Impact on CybersecuritySome Agencies Would See Steep Cuts; Others Would Get Funding for Cyber Efforts
The Trump administration's proposed fiscal 2020 budget calls for substantial cuts at many non-defense agencies, but it would provide extra funding for certain cybersecurity-related efforts.
Agencies that would see a boost in cybersecurity-related funding under the proposed budget for the fiscal year that starts Oct. 1 include the Department of Defense and the Department of Energy, as well as the Food and Drug Administration.
But two Department of Health and Human Services' units that regulate health IT security and privacy matters - the Office for Civil Rights and the Office of the National Coordinator for Health IT - would see their budgets cut under the president's budget.
The president's budget is little more than a wish list because Congress must enact appropriations, and the final funding levels often differ substantially from the administration's budget requests.
The proposed budget includes more than $1 billion for the Department of Homeland Security's cybersecurity efforts.
"These resources would increase the number of DHS-led network risk assessments from 473 to 684 - including assessments of state and local electoral systems - as well as for additional tools and services, such as the EINSTEIN and the Continuous Diagnostics and Mitigation programs, to reduce the cybersecurity risk to federal information technology networks," the budget proposal notes.
The administration's budget proposes spending $718 billion for the Department of Defense, a 5 percent increase from the fiscal 2019 enacted level. Some of that funding increase would be for cyber-related initiatives.
"For cyber, the budget continues to integrate efforts and operationalize U.S. cyber strategy, while scaling artificial intelligence throughout the DoD," the administration's budget notes.
"The budget continues to place a high priority on cybersecurity and cyber operations by requesting more than $9.6 billion in fiscal 2020 to advance DOD's three primary cyber missions: Safeguarding DOD's networks, information and systems; supporting military commander objectives; and defending the nation."
The budget would grow the capacity of U.S. military cyber forces - including the recently elevated United States Cyber Command, the budget notes.
To ensure "robust cybersecurity programs across the energy sector," the budget would provide over $156 million for the recently established Office of Cybersecurity, Energy Security, and Emergency Response within the Energy Department.
Healthcare Sector Funding
Overall, the Department of Health and Human Services would get a $4.75 trillion budget, with $87.1 billion in discretionary budget authority and $1.2 trillion in mandatory funding. That's a $12.4 billion reduction - or more than 12 percent - in discretionary funding from fiscal 2019 levels, according to the HHS "budget in brief" document released on Monday.
But the budget proposal highlights funding for certain cybersecurity initiatives, including at HHS' Food and Drug Administration.
The FDA's proposed $6.1 billion budget would include, for example, $55 million for an initiative to build an integrated knowledge management system and portal for medical devices to enable safety issues to be monitored and effectiveness evaluated during the life cycle of the device, FDA notes.
"This capability to better leverage pre-existing and new data in near real time is essential for implementing the FDA's new approaches for digital health technologies, breakthrough devices, use of real-world evidence and cybersecurity," according to the FDA statement.
"These efforts could also make medical product review cycles more efficient; allow the agency to more quickly identify and address safety signals and cyber vulnerabilities; and spur the development of innovative, safer, more effective medical devices," the FDA states.
But two other HHS agencies - the Office for Civil Rights, which enforces HIPAA, and the Office of the National Coordinator for Health IT, which leads the nation's effort to advance health information technology, would see smaller budgets in fiscal 2020 under the administration's proposal.
The budget proposes to slash funding for OCR by nearly 25 percent to $30 million in fiscal 2020. The impact of those potential cuts, however, would likely be offset by OCR's HIPAA enforcement settlement and penalty collections. "OCR will use civil monetary settlement funds to support HIPAA enforcement activities, necessitating a smaller discretionary appropriation request," the HHS budget brief document notes.
The budget proposal also notes that fiscal 2018 was a "record year" for OCR in enforcement; its collections, settlements and judgments totaled over $25 million.
In terms of staffing, the OCR budget proposal calls for adding four full-time equivalents, bringing the total to 159.
HHS is proposing to slash ONC's budget about 28 percent $43 million in fiscal 2020. It would cut ONC's full-time staff to 164 from 176.
HHS notes in its budget brief that the ONC budget for fiscal 2020 "prioritizes policy and rulemaking activities, standards development and implementation, and electronic health record certification efforts to fulfill ONC's commitment to an interoperable health IT system."
In fiscal 2020, "ONC will accelerate development of data standards and the implementation of a trusted exchange framework and common agreement across health information networks to accelerate the achievement of this goal," the document notes.
The HHS budget document notes that the 21st Century Cures Act directs ONC to continue its work to combat the blocking of the sharing of health information and the building of health IT exchanges. "ONC will aggressively implement certification program rules that prohibit information blocking, create and promote channels for reporting information blocking, and enforce relevant provisions required of the Cures Act," the HHS budget document notes.
Privacy attorney Iliana Peters of the law firm Polsinelli says this is the first time that HHS has included in its proposed budget a reference to OCR generating income from penalties tied to HIPAA settlements and civil money penalty enforcements.
"This development indicates that OCR is comfortable with at least the same amount of HIPAA enforcement recoveries going forward for some time, given that once an appropriated budget is reduced, it is unlikely to be increased in the future," she says.
"At least for next year, it will have very little effect on OCR's HIPAA operations, given that OCR currently has a sufficient cushion of enforcement recoveries to use for HIPAA enforcement."
But other observers offer a different perspective.
"I am concerned about the general reduction in OCR's budget," says privacy attorney Kirk Nahra of the law firm WilmerHale. He notes that OCR's recent request for information regarding potential rulemaking changes to HIPAA "raised a lot of issues that will need to be addressed carefully and thoughtfully."
That also included a number of topics where the best approach to addressing the issue would be through additional guidance and education provided by OCR - which the agency will be challenged to accomplish with fewer resources, he contends.
"I also am concerned about a shift toward obtaining budget dollars through more enforcement and higher penalties," Nahra says. "OCR has been a really thoughtful regulator in the past because they have looked carefully at situations and analyzed whether companies were trying to do the right thing even if something went wrong. This changes the dynamics in a way that is not the best approach to enforce - particularly when OCR is at the same time trying to encourage more sharing of information in certain situations."
The proposal for OCR to use the fine and penalty collections to support its HIPAA enforcement effort will force more transparency about how the agency accounts for the fines and penalties it collects, notes privacy attorney David Holtzman of the security consultancy CynergisTek.
"OCR has collected over $100 million in penalty income from HIPAA violations in recent years. The HITECH Act requires these funds to be spent in of support OCR's enforcement efforts," he says. "There has not been any public accounting for how those collected fines and penalties have been spent or what the current balance of these funds is."
Data Integrity Worries
The proposed cuts to ONC also are troubling for several reasons, including their potential impact on efforts to ensure the data accuracy and integrity of certified EHR products, Holtzman contends.
"Consumers expect ONC to make sure that the EHRs passed through its certification program are reporting accurate information that healthcare providers can rely on to make clinical decisions," he says. "The ECRI Institute reports that patients are very concerned about the safety of EHRs. But the administration's budget proposal does away with the funding to support surveillance of EHRs that have been approved through ONC's [certification] program."