In light of the recent Supreme Court decision overturning the Chevron deference, the regulatory landscape, especially concerning cybersecurity in healthcare, faces significant changes. The ruling in Loper Bright Enterprises v. Raimondo, which reversed the 1984 Chevron v. Natural Resources Defense Council precedent, alters how federal agencies can interpret and implement laws. This shift carries profound implications for the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) as they work to enforce new cybersecurity requirements in the healthcare sector. Compounding these challenges is the recent introduction of the Healthcare Cybersecurity Act of 2024, which mandates collaboration between CISA and HHS to enhance the cybersecurity of the Healthcare and Public Health Sector.
The Chevron Doctrine and Its Overturn
For nearly four decades, the Chevron doctrine dictated that courts should defer to federal agencies’ reasonable interpretations of ambiguous statutes enacted by Congress. This provided agencies with broad discretion to create and enforce regulations that often filled gaps left by legislators. However, the Supreme Court’s recent 6-3 decision declared that it is the judiciary’s role to interpret laws and resolve statutory ambiguities, not the agencies’. This change means that courts will now more rigorously scrutinize and potentially overturn agency regulations that do not clearly align with legislative intent.
Implications for Cybersecurity in Healthcare
Vulnerability of Existing Regulations
The immediate impact of this ruling is the increased vulnerability of existing cybersecurity regulations to legal challenges. The healthcare sector, heavily regulated by statutes such as HIPAA and new cybersecurity guidelines like the Health Sector Cybersecurity Coordination Center (HSCC) Health Industry Cybersecurity Practices (HICP), now faces uncertainty. Regulations that were based on agency interpretations of older laws are particularly at risk.
For example, HHS has interpreted HIPAA to require robust cybersecurity measures to protect patient data. These interpretations have led to the development of detailed guidelines and enforcement actions to ensure compliance. However, with Chevron deference overturned, these regulations may be contested in court. Opponents might argue that the agency overstepped its authority by imposing stringent cybersecurity requirements not explicitly mandated by HIPAA’s original language.
Future Rulemakings and Judicial Scrutiny
The decision also complicates the future rulemaking process. Agencies like HHS and CISA will need to ensure that any new cybersecurity regulations are firmly grounded in explicit statutory authority. This is particularly relevant as the White House pushes for mandatory cybersecurity minimum requirements based on the new Health Sector Cybersecurity Practices (HPH-CPGs).
Two potential strategies for implementing these requirements include:
1. Making HPH-CPGs a Condition of Participation (CoP) for CMS: The Centers for Medicare & Medicaid Services (CMS) could require adherence to HPH-CPGs as a condition for participating in Medicare and Medicaid programs. This would directly tie cybersecurity compliance to federal healthcare funding, compelling hospitals and healthcare providers to adopt robust cybersecurity measures.
2. Updating the HIPAA Security Rule to Include HPH-CPGs: Another approach could involve revising the HIPAA Security Rule to explicitly incorporate HPH-CPGs. This would make these practices a legal requirement for protecting patient data, aligning regulatory standards with modern cybersecurity needs.
Both strategies, however, must navigate the new legal landscape where courts are more likely to challenge agency interpretations. Any regulations derived from these strategies must be meticulously crafted to withstand judicial review, clearly demonstrating that they fall within the scope of Congressional intent.
Introduction of the Healthcare Cybersecurity Act of 2024
Overview of the Act
The Healthcare Cybersecurity Act of 2024 addresses the rising threat of cyberattacks on healthcare systems, which have led to significant data breaches, increased costs, and adverse patient outcomes. To combat these threats, the Act mandates closer coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS). This includes appointing a CISA expert as a liaison to HHS to provide technical assistance, facilitate information sharing, and manage cybersecurity agreements. Additionally, a comprehensive report on these coordination activities must be submitted to Congress within 18 months of the Act’s enactment. The Act also requires CISA’s Cyber Security Advisors and State Coordinators, alongside private sector experts, to train healthcare operators on cybersecurity risks and mitigation strategies.
Furthermore, the Act directs the Secretary of HHS, in coordination with CISA, to update the Healthcare and Public Health Sector Specific Plan within one year, addressing various cybersecurity challenges and best practices. CISA is tasked with establishing criteria to identify high-risk healthcare assets, developing a methodology for assessing these assets, and maintaining a biannual list of high-risk assets to prioritize resource allocation. Within 120 days of enactment, CISA must also report to Congress on the support and activities provided to the healthcare sector. These comprehensive efforts aim to fortify healthcare systems against the growing threat of cyberattacks and ensure robust cybersecurity measures are implemented across the sector.
The Role of Congress
The Chevron decision underscores the need for Congress to provide clearer legislative directives. Vague laws that leave significant room for agency interpretation are now more likely to be struck down. For cybersecurity in healthcare, this means that Congress must act decisively to update existing statutes or enact new laws that specifically address modern cyber threats and the necessary measures to counter them.
For instance, while HIPAA provides a framework for data privacy and security, it does not explicitly address many contemporary cyber threats. Congress could pass amendments or new legislation that directly mandates specific cybersecurity practices, thereby providing a stronger legal foundation for regulations that agencies like HHS and CISA might implement.
Judicial Expertise in Cybersecurity
With the judiciary now playing a more active role in interpreting cybersecurity regulations, there is a pressing need for judges to develop a deeper understanding of cybersecurity issues. Cyber threats are highly technical, and effective adjudication requires familiarity with the complexities of digital security. Judicial education and the inclusion of technical experts in court proceedings could help ensure that decisions are well-informed and balanced.
Challenges and Opportunities
Increased Litigation
One likely consequence of the Supreme Court ruling is a surge in litigation challenging cybersecurity regulations. Healthcare organizations, especially those with significant compliance costs, may seek to overturn regulations by arguing that they exceed the agency’s statutory authority. This could result in a fragmented regulatory environment where compliance requirements vary by jurisdiction, complicating efforts to maintain consistent cybersecurity standards across the sector.
Encouraging Voluntary Compliance
Given the potential for deregulation through judicial challenges, there may be a greater emphasis on voluntary compliance initiatives. Industry leaders and professional organizations could play a crucial role in developing and promoting best practices for cybersecurity. Voluntary frameworks, while not legally binding, can help standardize cybersecurity measures across the healthcare sector and enhance overall resilience against cyber threats.
Conclusion
The Supreme Court’s reversal of Chevron deference marks a significant shift in the regulatory landscape, with profound implications for cybersecurity in healthcare. Federal agencies like HHS and CISA must navigate this new environment by grounding their regulations in clear statutory authority and preparing for increased judicial scrutiny. Congress, in turn, must provide explicit legislative mandates to address modern cyber threats effectively.
In this evolving legal context, the healthcare sector must adapt by embracing both regulatory and voluntary measures to enhance cybersecurity. The introduction of the Healthcare Cybersecurity Act of 2024 highlights the critical need for coordinated efforts between CISA and HHS to address the growing cyber threats in the healthcare sector. Through collaborative efforts between government, industry, and the judiciary, the sector can build a robust framework to protect against the ever-growing threat of cyberattacks.
About Ty Greenhalgh
Ty Greenhalgh is Industry Principal of Healthcare at Claroty. He has been dedicated to the healthcare information technology and information management industry for over 30 years. Ty is an ISC2 certified Healthcare Information Security and Privacy Practitioner (HCISPP) and Cybersecurity Officer. His experience has leveraged advanced disruptive technology solutions to assist healthcare organizations in overcoming seemingly insurmountable challenges. Ty is an active member in several groups and associations; Healthcare and Public Health Sector Coordinating Counsel’s Joint Cybersecurity Workgroup, the National Initiative for Cybersecurity Education (NICE) Workforce Development Workgroup, the North Carolina Health Information and Communications Alliance (NCHICA) Biomedical Taskforce.