“The purpose of this contract is to carry out a sequence of related activities with the goal of understanding security risks to Health Information Technology, planning and executing risk mitigation strategies, testing certain risk mitigation strategies, communicating to stakeholders the results, lessons learned, and actions that can be taken to reduce risk in HIT, which will create the foundation for policy development.

“On February 17, 2009, the President signed the American Recovery and Reinvestment Act of 2009 (ARRA). This statute includes The Health Information Technology for Economic and Clinical Health Act of 2009 (the HITECH Act) that sets forth a plan for advancing the appropriate use of health information technology to improve quality of care and establish a foundation for health care reform. Foundational to this advancement is the assurance of safety and security in Health Information Technology, as established in the legislation’s priority areas. These include promoting security and accuracy of health information and the protection of privacy through data segmentation and prevention of unauthorized access.

“Information protection and cybersecurity in the healthcare sector also cut across two of the 18 Critical Infrastructure sectors (information systems and health care) under the National Infrastructure Protection Plan. As noted in the President’s proclamation of December 2009 as Critical Infrastructure Protection Month, “critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety.”

“Cybersecurity has been identified as a top strategic priority, as set out in the White House report: “Cyberspace Policy Review” (May, 2009). As health information exchange between enterprises increases, protecting it in its transit across cyberspace becomes increasingly important. Assuring the protection of health information stored electronically, wherever it may be located, also requires securing it against threats originating in cyberspace. The White House report identified 10 short-term top priorities for cybersecurity, including strategic planning, interagency cybersecurity policy cooperation, increasing public awareness, incident response, research and development, and identity management. The work plan associated with this contract will address these priorities in their relationship to HIT.

“Overview of Security/Cybersecurity Fully deploying Electronic Health Records (EHRs) nationwide and increasing health information exchange, as required under the ARRA/HITECH legislation, steps up the need to protect these strategic information resources against cybersecurity threats. ONC has developed a coordinated plan to identify and address these threats and lay the groundwork for a safe and secure HIT ecosystem for the United States. This plan includes several distinct and related phases, each of which is composed of one or more specific activities.”

Contracting Office Address:
Parklawn Building Room 5-101
5600 Fishers Lane
Rockville, Maryland 20857

Primary Point of Contact.:
Anne F Hunt
anne.hunt@psc.hhs.gov
Phone: (301) 443-5148