Ty Greenhalgh: Leading the Charge in Healthcare Cybersecurity at Claroty

In an era where cyber threats loom larger than ever, the healthcare sector finds itself at a critical juncture. With the recent Supreme Court decision overturning the Chevron deference, the regulatory landscape surrounding cybersecurity in healthcare is undergoing significant transformation. At the forefront of this evolving environment is Ty Greenhalgh, the Industry Principal of Healthcare at Claroty. With over 30 years of experience in healthcare information technology and a commitment to enhancing cybersecurity, Greenhalgh is uniquely positioned to navigate the complexities of this new regulatory framework.

The Chevron Doctrine and Its Overturn

For nearly four decades, the Chevron doctrine provided federal agencies with the authority to interpret ambiguous statutes enacted by Congress, allowing them to create and enforce regulations. However, the Supreme Court’s recent ruling in Loper Bright Enterprises v. Raimondo has shifted this paradigm. The court’s 6-3 decision emphasizes that it is the judiciary’s role to interpret laws, potentially leading to increased scrutiny of agency regulations. This change poses significant implications for the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) as they work to enforce new cybersecurity requirements in the healthcare sector.

Implications for Cybersecurity in Healthcare

Vulnerability of Existing Regulations

The immediate aftermath of the Supreme Court ruling has left existing cybersecurity regulations vulnerable to legal challenges. The healthcare sector, governed by statutes such as HIPAA and new cybersecurity guidelines like the Health Sector Cybersecurity Coordination Center (HSCC) Health Industry Cybersecurity Practices (HICP), now faces uncertainty. Regulations based on agency interpretations of older laws are particularly at risk, as opponents may argue that agencies have overstepped their authority.

Future Rulemakings and Judicial Scrutiny

As HHS and CISA look to implement new cybersecurity regulations, they must ensure that these measures are firmly grounded in explicit statutory authority. The White House’s push for mandatory cybersecurity minimum requirements based on the new Health Sector Cybersecurity Practices (HPH-CPGs) highlights the urgency of this task. Strategies such as making HPH-CPGs a Condition of Participation for Medicare and Medicaid or updating the HIPAA Security Rule to include HPH-CPGs must be carefully crafted to withstand judicial review.

Introduction of the Healthcare Cybersecurity Act of 2024

In response to the growing threat of cyberattacks on healthcare systems, the Healthcare Cybersecurity Act of 2024 has been introduced. This legislation mandates closer collaboration between CISA and HHS, including the appointment of a CISA expert as a liaison to HHS. The Act also requires comprehensive reporting on coordination activities and the establishment of criteria to identify high-risk healthcare assets. These measures aim to bolster the cybersecurity posture of the healthcare sector and ensure that robust cybersecurity practices are implemented.

The Role of Congress

The recent Supreme Court decision underscores the need for Congress to provide clearer legislative directives. Vague laws that leave significant room for agency interpretation are now more likely to be challenged in court. For cybersecurity in healthcare, Congress must act decisively to update existing statutes or enact new laws that specifically address modern cyber threats. By doing so, they can provide a stronger legal foundation for regulations that agencies like HHS and CISA might implement.

Judicial Expertise in Cybersecurity

With the judiciary taking a more active role in interpreting cybersecurity regulations, there is a pressing need for judges to develop a deeper understanding of cybersecurity issues. Cyber threats are highly technical, and effective adjudication requires familiarity with the complexities of digital security. Judicial education and the inclusion of technical experts in court proceedings could help ensure that decisions are well-informed and balanced.

Challenges and Opportunities

Increased Litigation

One likely consequence of the Supreme Court ruling is a surge in litigation challenging cybersecurity regulations. Healthcare organizations may seek to overturn regulations by arguing that they exceed the agency’s statutory authority, leading to a fragmented regulatory environment. This could complicate efforts to maintain consistent cybersecurity standards across the sector.

Encouraging Voluntary Compliance

In light of potential deregulation through judicial challenges, there may be a greater emphasis on voluntary compliance initiatives. Industry leaders and professional organizations could play a crucial role in developing and promoting best practices for cybersecurity. While not legally binding, voluntary frameworks can help standardize cybersecurity measures across the healthcare sector and enhance overall resilience against cyber threats.

Conclusion

The Supreme Court’s reversal of Chevron deference marks a significant shift in the regulatory landscape, with profound implications for cybersecurity in healthcare. Federal agencies like HHS and CISA must navigate this new environment by grounding their regulations in clear statutory authority and preparing for increased judicial scrutiny. Congress, in turn, must provide explicit legislative mandates to effectively address modern cyber threats.

In this evolving legal context, the healthcare sector must adapt by embracing both regulatory and voluntary measures to enhance cybersecurity. The introduction of the Healthcare Cybersecurity Act of 2024 highlights the critical need for coordinated efforts between CISA and HHS to combat the growing cyber threats in the healthcare sector. Through collaborative efforts between government, industry, and the judiciary, the sector can build a robust framework to protect against the ever-growing threat of cyberattacks.

About Ty Greenhalgh

Ty Greenhalgh is the Industry Principal of Healthcare at Claroty. With over 30 years of experience in the healthcare information technology and information management industry, Ty is an ISC2 certified Healthcare Information Security and Privacy Practitioner (HCISPP) and Cybersecurity Officer. His expertise in leveraging advanced disruptive technology solutions has helped healthcare organizations overcome significant challenges. Ty is actively involved in several groups and associations, including the Healthcare and Public Health Sector Coordinating Council’s Joint Cybersecurity Workgroup, the National Initiative for Cybersecurity Education (NICE) Workforce Development Workgroup, and the North Carolina Health Information and Communications Alliance (NCHICA) Biomedical Taskforce. His leadership and vision are essential as the healthcare sector navigates the complexities of cybersecurity in a rapidly changing regulatory landscape.