CHIME, AEHIS Provide Feedback on Senator Warner’s Cybersecurity Policy Options Paper

December 13, 2022 - The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) provided their feedback on Senator Mark R. Warner’s (D-VA) recent policy options paper focused on improving healthcare cybersecurity.

The paper, aptly titled “Cybersecurity is Patient Safety,” explored the challenges faced by federal agencies regarding jurisdiction over healthcare cybersecurity, ways that the government could help the sector tackle threats via mandates and incentives, and policies that could help the sector respond to cyberattacks.

In a letter to Warner, CHIME and AEHIS applauded the Senator’s “long-standing commitment to highlighting and ameliorating the patient safety and national security risks posed to the healthcare sector by cyberattacks.”

“Our sector is under siege with a war being waged by cyber criminals – often nation-state sponsored – deploying cyber missiles that escalate in gravity with each passing year,” the organizations wrote.

CHIME and AEHIS provided key recommendations for penalties, incentives, and funding needs in response to the policy options paper.

Notably, the groups suggested that Congress allocate more funding to HHS for cybersecurity and expressed support for a voluntary cyber incentive program to “help offset the investments needed by healthcare providers to improve their cyber posture and reduce patient safety and national security risks.”

Additionally, CHIME and AEHIS encouraged HHS to engage in additional education efforts through a variety of channels, such as CMS and 405(d). The groups emphasized the importance of public-private partnerships and free federal resources aimed at improving healthcare cybersecurity.

When it comes to penalties, CHIME and AEHIS suggested that incentives should be prioritized over “penalty and punitive structures” and that healthcare providers should not be forced to “shoulder the entire burden of cyber crimes.”

Rather than punishing the victims, the groups suggested increased punishments for cyber threat actors who target healthcare to deter them from going after the healthcare sector.

CHIME and AEHIS also encouraged greater oversight of private cyber insurance carriers, urged Congress to pass the PATCH Act for medical device security, and supported the passage of a national privacy law to better protect consumers’ health information.

“CHIME and AEHIS appreciate the opportunity to share with you our perspectives and are strongly encouraged that with your leadership there will be meaningful changes in our sector that will help us improve our collective cyber posture and improve patient safety,” the letter concluded.

As previously reported, the American Hospital Association (AHA) also provided feedback to Senator Warner recently. AHA similarly championed additional guidance from the federal government and advocated for more support for cyberattack victims in the healthcare sector.