HITRUST CEO worries new HHS cybersecurity efforts are duplicative, calls for OCR audit exemptions

HITRUST CEO Daniel Nutkis said he was "surprised" by the rollout of a new cybersecurity communications center launched by HHS.

The CEO of a leading healthcare cybersecurity organization is concerned that new federal efforts to improve cyberthreat sharing interfere with existing methods in the private sector.

During a hearing before the Senate Committee on Homeland Security and Governmental Affairs on Wednesday, Daniel Nutkis, CEO of the Health Information Trust (HITRUST) Alliance, questioned the purpose of a new cybersecurity communications center that Department of Health and Human Services officials said will be operational by the end of the month.

RELATED: HHS prepares to unveil cybersecurity communications center by the end of the month

In written testimony, Nutkis argued that his organization has worked in the past with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), which served as a prototype for HHS’ new Health Cybersecurity and Communications Integration Center (HCCIC). But HITRUST was “surprised” to learn HHS was creating its own center.

“Clear guidance and communication should be established to ensure private sector activities are supported and not duplicated by government programs,” Nutkis wrote.

He also criticized HHS for working on a new implementation guide for NIST's Cybersecurity Framework, arguing that the private sector has already developed those guidelines.

Federal cybersecurity officials and industry experts have said threat sharing is a critical element to defending against a constant barrage of attacks. HHS deputy chief information security officer Leo Scanlon said the HCCIC was “an integral part” of the response to the WannaCry attack last month and the government's ability to disseminate information to providers.

Nutkis also took issue with HHS’s enforcement approach. Arguing that random compliance audits conducted by the HHS Office for Civil Rights have forced hospitals to divert energy and resources to compliance, he proposed a new policy that would exempt facilities that meet certain minimum privacy and security standards from OCR audits. Providing safe harbors would incentivize facilities to adopt cybersecurity best practices and allow regulators to focus on providers with the biggest compliance concerns.   

“This approach would create cost savings to industry by not having to prepare for unnecessary government audits, and save government resources by not using taxpayer dollars to assess organizations that can already demonstrate compliance,” he wrote.

RELATED: HHS is considering changes to OCR’s 'wall of shame'—and experts are divided on the impact

HHS is currently exploring a new approach to its data breach portal known as the “wall of shame” that could limit the amount of time healthcare systems are posted to the site.


Following Wednesday's hearing, Sen. Claire McCaskill, D-Mo., and Sen. Ron Johnson, R-Wisc., sent a letter to HHS Secretary Tom Price asking him to clarify the agency's plans to integrate the HCCIC with existing federal initiatives. The lawmakers included nine questions addressing safe harbor liability protections, interaction with the NCCIC and whether the center poses a conflict of interest since HHS also serves as a privacy and security regulator.