Presently, those institutions affected by HIPAA (health care and public health industry) are preparing to meet a September 23, 2013 deadline to comply with the HIPAA Omnibus Final Rule, requiring the strengthening of BAAs to increase privacy and security amongst suppliers and subcontractors that serve covered entities (CEs) as “business associates ”. It may come as a surprise to these business associates that a new Cybersecurity Framework (CSF) may also be imposed upon their operations

1. 1
Cybersecurity Framework’s application to
health care and public health
per E.O. 13636 and PPD-21
Part six of a series
July 2013
Author: David Sweigert, M.Sci., CISSP, CISA, PMP
(non-attorney who is not providing legal advice)
ABSTRACT
Presidential Policy Directive 21, issued jointly with Executive Order 13636,
empowers regulatory agencies to apply the new Cybersecurity Framework to
regulated industries. “Health care and public health” is named in Directive 21.
Background
One nefarious employee of a health
records processor helped himself to
confidential patient records; including
credit card numbers, social security
numbers, etc. When the employer
discovered these activities the employee
was fired. However, when the
employer’s client heard of these
violations of the Health Insurance
Portability and Accountability Act
(HIPAA) it immediately cancelled the
processing agreement and contract with
the processing center.
The processor sued the client for breach
of contract. However, a federal judge
agreed that the Business Associate
Agreement (BAA) between the two
parties had been breached, by the
violation of the HIPAA Security and
Privacy Rules. In sum, the BAA had
been nullified by the actions of only one
employee. Managed Care Solutions,
Inc. v. Community Health Systems, Inc.,
No. 10-60170-CIV (S.D. Fla. June 20,
2013).
***
Presently, those institutions affected by
HIPAA (health care and public health
industry) are preparing to meet a
September 23, 2013 deadline to comply
with the HIPAA Omnibus Final Rule,
requiring the strengthening of BAAs to
increase privacy and security amongst
suppliers and subcontractors that serve
covered entities (CEs)1
as “business
associates2
”. It may come as a surprise
to these business associates that a new
Cybersecurity Framework (CSF) may
also be imposed upon their operations
1
A covered entity is a health care entity that has access to
protected health information (PHI).
2
A business associate is a supplier or subcontractor
to a covered entity; bill collectors, processing
centers, accountants, etc. can be considered
business associates.

2. 2
to manage overall risk to privacy and
security.
Presidential Policy Directive 21 and
Sector Specific Agencies (SSAs)
Concurrently issued with Executive
Order 13636, Presidential Policy
Directive 21 (PPD-21) requires those
regulatory agencies that maintain
oversight of organizations (such as the
U.S. Department of Health and Human
Services (DHHS)) to review the
forthcoming CSF for applicability to their
constituents3
(health care and public
health).
The CSF is a standards and consensus-
based security and risk management
framework under development by the
U.S. National Institutes for Standards
and Technology (NIST). This effort is
also referred to as the NIST CSF4
.
The primary goals of EO 13636 and
PPD-21 are to increase the resiliency of
critical infrastructure (CI). Health care
and public health entities are included
within this broad definition of CI.
Pursuant to PPD-21 agencies, like
DHHS, will ‘‘review the preliminary
Cybersecurity Framework and
determine if current regulatory
requirements are sufficient given current
and projected risks’’ and submit a report
to the president ‘‘that states whether or
not the agency has clear authority to
establish requirements based upon the
3
PPD-21, section entitled “Designated Critical
Infrastructure Sectors and Sector-Specific Agencies.”
4
EO 13636, § 7(e)
Cybersecurity Framework to sufficiently
address current and projected cyber
risks to critical infrastructure, the
existing authorities identified, and any
additional authority required.’5
’
This 90-day review would commence on
October 10, 2013, after NIST has
published the preliminary CSF6
.
Will the NIST CSF reach the Cloud
Services Providers?
Cloud Service Providers (CSPs), that
are processing electronic protected
health information (ePHI), may soon
have to deal with the combination of the
new HIPAA BAA requirements and the
potential that the NIST CSF may
increase the reach of DHHS into their
CSP operations.
When initially released, EO 13636 and
PPD-21 did not specifically address
CSPs as critical infrastructure;
purportedly a specific carve-out of CSP
services from these initiatives was
arranged with industry representatives
prior to the release of these documents.
However, one could make an argument
that CSPs are within the domain of
communications and information critical
infrastructure. If true, CSPs operations
would be addressed by the Sector
Specific Agency (SSA) for that domain
(for communications and information
infrastructure the SSA is the U.S.
5
EO 13636, § 10(a)
6
EO 13636, § 7(e)

3. 3
Department of Homeland Security
(DHS)).
However, those CSPs acting as a
HIPAA business associate (processing
health care related data) might find
themselves under portions of the NIST
CSF if DHHS (not DHS) extends the
reach the framework.
The NIST CSF, ostensibly designed to
enable an Enterprise Risk Management
(ERM) approach, may become the de
facto risk management tool for those
CSPs processing ePHI.
Self-regulatory compliance of CSPs
Presently, the CSP industry has created
a self-regulatory privacy and security
compliance scheme relying on the
International Standards Organization
(ISO) standards 270017
and 270028
.
But, reliance on a commonly accepted
standard to manage enterprise risk has
not generally been agreed upon.
It can be claimed that NIST Special
Publication 800-30, Risk Management
Guide for Information Technology
Systems, is already a de facto standard
for HIPAA CEs, as the DHHS Office of
Civil Rights (OCR) has endorsed NIST
standards as “supplemental guidance”
for assessing an organization’s risk.9
7
ISO 27001:2005, Information Security Management
Systems (ISMS).
8
ISO 27002:2005, Code of Practice for Information
Security Management.
9
DHHS, OCR, “HIPAA Security Series”, March, 2007.
HIPAA Security Rule, Section 164.308
(a)(1)(ii)(A), requires a CE to, “conduct
and accurate and thorough assessment
of the potential risks and vulnerabilities
to the confidentiality, integrity, and
availability of electronic protected health
information held by the covered
entity…”.
The CSP industry is weighing other non-
NIST SP 800-30 ERM options (ISO
31000 and ISO 27005). Meanwhile,
those CSPs handling ePHI would be
well advised to carefully review their
clients’ new BAAs. Attention should be
paid to the areas of contract breach and
best industry practices. It would also be
prudent to monitor the release of the
Preliminary NIST CSF, which
coincidently occurs in October 2013 (a
few weeks after the HIPAA Omnibus
Final Rule becomes effective).
About the author: David Sweigert is a
Certified Information Systems Security
Professional, Certified Information
Systems Auditor, Project Management
Professional and holds Master’s
degrees in Information Security and
Project Management. He is a former
member of the HIPAA Administrative
Simplification committee, has testified
before the National Committee on Vital
Health Statistics (NCVHS) about HIPAA
implementation and is a practitioner in
the implementation of the HIPAA
Privacy and Security Rules in his role of
assisting organizations in securing their
I.T. enterprise infrastructure.