Last week, the American Hospital Association sent a letter to the National Institute of Standards and Technology urging the agency to ensure that its cybersecurity framework remains flexible and voluntary within the health care industry's private sector, FierceHealthIT reports.
On Oct. 29, NIST opened a comment period on a proposed cybersecurity framework (Hall, FierceHealthIT, 12/13).
Background on NIST Data Encryption Standards
In September, former NSA employee Edward Snowden leaked private government documents that stated NIST's encryption standards contain a "back door," which allows NSA to decipher encrypted messages.
NIST's data encryption standards are used in electronic health care data security and exchange.
In November, NIST announced its processes for developing data encryption standards would undergo internal and independent formal reviews (iHealthBeat, 11/6).
Details of AHA Letter
The AHA letter was sent to Patrick Gallagher, under secretary of commerce for standards and technology at NIST (FierceHealthIT, 12/13).
According to the letter, AHA agrees with the five core functions of the proposed framework:
However, Linda Fishman -- senior vice president of public policy analysis and development at AHA -- wrote that the framework also should:
- Consider how to reconcile disparate cybersecurity implementation standards;
- Provide ample time for implementing changes; and
- Include existing data security rules that are applicable to health care groups, such as HIPAA and the HITECH Act (AHA News, 12/11).
AHA also wrote that several entities that interact with hospitals should be involved in cybersecurity risk assessment and reduction activities, including:
- Medical device companies;
- Physician offices;
- Insurers; and
- Individual patients (FierceHealthIT, 12/13).