Daniel Nutkis, founder and CEO of the Health Information Trust Alliance, told the Senate Committee on Homeland Security and Governmental Affairs the roles outlined for HHS' s healthcare-specific cybersecurity communication center too closely parallel those of existing Information Sharing and Analysis Organizations.
HITRUST has worked with the Department of Homeland Security as an ISAO since 2015 to evaluate best practices for information sharing, Mr. Nutkis wrote in his testimony to the committee June 21. Upon review the roles of HHS' recently-established Healthcare Cybersecurity and Communications Integration Center, Mr. Nutkis said its roles are duly fulfilled by ISAOs.
"We would expect in areas where the private sector has made a significant investment in establishing an effective program or approach, the government would give it due consideration before seeking a government alternative that replicates or devalues industry efforts," he wrote.
Mr. Nutkis emphasized extra care should be taken to ensure private sector activities are supported by government agencies — not duplicated.
"We are perplexed as to why HHS would not partner with industry by leveraging programs already in place and offering assistance to improve them instead of replicating and dismissing the hard work of industry."
Mr. Nutkis also recommended HHS' Office for Civil Rights revise its model for HIPAA audits. By excluding healthcare organizations that have demonstrated HIPAA compliance through other assessments — such as the HITRUST CSF Assessment — from the OCR's random audit, Mr. Nutkis said the healthcare industry would save money and time.
"Under the current audit model, OCR is using its limited resources to audit organizations that have already implemented appropriate privacy and security controls and conducted required risk assessments, for which OCR has no visibility. OCR resources could be better served in focusing on organizations not adequately addressing the HIPAA privacy and security requirements," Mr. Nutkis wrote.
More articles on health IT:
Patient safety monitoring IT company hires CFO
Patientco, Epic integrate platforms for enhanced patient payments
South Korean firm reportedly pays 'record amount' after $1M ransomware demand