Healthcare, cybersecurity policy and privacy top the list of priorities outlined in the technology briefing by...
fellows and executives from the Center for Democracy and Technology (CDT), a Washington, D.C.-based nonprofit. These issues will all directly affect compliance and security professionals as the full slate of legislation moves through Congress during the fall session.
The American Recovery and Reinvestment Act (ARRA) of 2009, aka the stimulus bill, is having significant regulatory effects. The clearest example is in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which includes provisions that affect health privacy. Nine months after ARRA passed, the rules enacted in it are starting to apply.
The most significant of these are likely to be the breach notification rules from the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC). Deven McGraw, director of the Health Privacy Project at CDT, expressed concerns about the HHS breach notification provisions as they apply to Health Insurance Portability and Accountability Act (HIPAA) entities and extend to personal health record vendors that fall under FTC regulations. "We're pleased with the rule that FTC came out with," she said, but, "HHS interpreted the breach definition to include a harm standard that is broadly worded and gives authority to a breached entity about whether there is harm. If that entity determines that the answer is no, notification doesn't have to happen."
McGraw pointed out that, "if the FTC is reasonably certain data hasn't been acquired, a breach hasn't occurred. HHS expands on that -- well, what kind of data? If it's just your name and you were in a hospital, there's no risk of harm. Core health data is subject to a less rigorous standard."
HITECH compliance goes into effect Sept. 24 under the FTC's standard, although, according to McGraw, both agencies say they won't enforce a data breach for 180 days. And she added that she expects conservative interpretation, given FTC enforcement of HIPAA violations at CVS Caremark Corp.
Reforming cybersecurity policy is a major priority under President Barack Obama's administration. Proposed changes have the potential to rework compliance with the Federal Information Security Management Act and guidelines from the Federal Energy Regulatory Commission and North American Electric Reliability Corporation, or FERC and NERC. Many other areas of e-commerce and infrastructure could also be affected, given the broad reach of proposed legislation like the Cybersecurity Act of 2009 (S.773, aka the "kill-switch bill").
In terms of the cybersecurity act -- also referred to as the Rockefeller-Snowe bill, after Sens. John Rockefeller (D-W.V.) and Olympia Snowe (R.-Maine) -- it's still not entirely clear what the president's power will be in an emergency if the legislation doesn't come through. Gregory Nojeim, CDT counsel, said, "It would be useful for the White House to offer its view in the context of a given scenario," in response to questions regarding the president's control over the Internet and various free speech and commerce issues. Concerns over a "cyber-Katrina" aren't purely academic, either, as numerous technology advocates and analysts have expressed concerns about how S.773 may set or apply standards from the National Institute of Standards and Technology (NIST). Questions about cybersecurity policy that need to be answered include: Will best practices defined by NIST be auditable and audited? Could such standards stifle innovation because of that detail? Ari Swartz, vice president and chief operating officer at CDT, expressed confidence in the nomination of physicist Patrick Gallagher to the post of NIST director. Should Gallagher be seated, he'll have a full portfolio as he begins work.
This fall's legislative session at Congress will see numerous issues, including the use of the OpenID federated identity framework for .gov authentication pilot, prospects for a national data privacy law (H.R. 2221) and Pass ID. All three of these areas will be affected by the direction of the cybersecurity policies defined by the administration.
If the FTC is reasonably certain data hasn't been acquired, a breach hasn't occurred. HHS expands on that -- well, what kind of data?
Deven McGraw, director, Health Privacy Project Center for Democracy and Technology
Cynthia Wong, the Plesser Fellow at CDT, said the Pass ID markup happened at the end of July, when Senators cleared the way for a measure to replace REAL ID. "In general, CDT has been supportive of Pass ID, since we view it as an improvement over REAL ID, which is still on the books," Wong said. "Pass ID mitigates some key privacy concerns from REAL ID and also introduces new privacy protections for information contained in the machine-readable zone on driver's licenses and ID cards that don't exist apart from individual state law. However, we think the bill can still be improved, and have made specific recommendations for strengthening privacy protections to Congress." Wong also shared concerns about Pass ID amendments in a post on the CDT blog.
In terms of the use of OpenID for .gov websites, Schwartz expressed cautious optimism, ladled liberally with concern over the details of implementation.
"If you go back to 1998, GSA [the General Services Administration] has a problem called ACES," he said, referring to Access Certificates for Electronic Services. "The goal was to give every American a digital signature. We had a lot of problems with that. That program broke up into pieces. One of the things they were pushing for was federated identity, which offered the ability to have many levels. We liked the GSA approach, but it never went into effect. Now, [federal CIO Vivek] Kundra is taking that scheme over. We need to make the levels actually work. Level 1 is the most basic, and then on up."
Privacy challenges, as Schwartz said he sees them, lay in the OpenID system will work. "The question is what kind of information can the third party keep, is it limited by contract, and how do you set those rules up," he said. "That's not clear. We're going to have a consultation with agencies and OpenID to try to come up with guidance.
Let us know what you think about the story; email email@example.com.