Healthcare Information Security

Cybersecurity News

CHIME Calls for HHS to Prioritize Healthcare Cybersecurity

Investing in good cyber hygiene through positive provider incentives is a top healthcare cybersecurity priority, CHIME explains to HHS Secretary Thomas Price.

Healthcare cybersecurity needs to be a top focus area for HHS, CHIME states.

Source: Thinkstock

By Elizabeth Snell

- Improving healthcare cybersecurity must be a top priority for the Department of Health and Human Services (HHS), the College of Healthcare Information Management Executives (CHIME) explained in a recent letter to the new HHS Secretary.

HHS should “encourage investment in good cyber hygiene through positive incentives for providers,” CHIME wrote to Secretary Thomas Price. The Department of Homeland Security considers healthcare a critical infrastructure, CHIME added, which is why both patient data and patient safety should be considered a “public good.”

“As payment and delivery system reforms propel us towards greater connectivity, new vulnerabilities arise,” the letter stated. “CHIME members take very seriously their responsibility to protect their systems and patient information, however, they face competing demands for limited resources – upgrading imaging and other clinical technologies, adopting health IT to comply with Meaningful Use, pursuing data analytics to support the move toward population health, and more.”

Along with a cybersecurity focus, CHIME also recommended that HHS support private sector-led efforts to locate a solution to patient identification and provide technical support.

The push for nationwide interoperability and health information exchange have not come with “the ability to identify patients with 100 percent accuracy 100 percent of the time,” CHIME noted.

“Addressing this problem is especially important as health information increasingly flows across unaffiliated providers in order to coordinate care and as patients increasingly access and share their own data,” said CHIME. “Ensuring correct patient identification is the first step toward effectively protecting and securing identities and mitigating fraud.”

HHS should also delay Stage 3 Meaningful Use requirements, according to CHIME. It was also recommended that the agency use Version 2015 CEHRT indefinitely while retaining a 90-day reporting period after 2017.

There must be a higher level of interoperability with Stage 3, the letter stressed. Providers have so far been facing “burdensome mandates” and higher costs of care.

In terms of interoperability itself, CHIME recommended that HHS prioritize the adoption of a single set of standards to better facilitate it.

“Providers are being required to upgrade to a new version of certified EHRs (CEHRT) (Version 2015) that still cannot accomplish the level of interoperability needed,” the letter maintained. “If providers are required to move to Stage 3 / Version 2015 CEHRT, they will not have a chance to benefit from the provisions outlined under the 21st Century Cures Act designed to improve interoperability.”

The coverage of telemedicine services should also be expanded, the letter recommended. Telemedicine coverage policies to support payment and delivery reform efforts also need to be expanded, CHIME proposed.

“Geographical limitations currently restrict the provision of telehealth services,” wrote CHIME. “The realignment of federal payment structures will be a key factor to increasing access to telehealth services to those patients who desperately need them.”

Both 2017 and 2018 should be transition years for the Merit-Based Incentive Program (MIPS), CHIME added. HHS should remove the mandate to meet Stage 3-like measures under the Advancing Care Information (ACI) performance category of MIPS.

A high-performing, interoperable and secure technical infrastructure is needed for payment reform. More time and interoperable EHRs will help physicians succeed.

HHS should also institute a 90-day reporting period for 2017 and beyond for web quality reporting requirements, according to CHIME. Furthermore, the agency should postpone reporting requirements of electronic clinical quality measures (eCQMs) until an appropriate technical infrastructure is in place.

“On average, CHIME members are contending with submitting over 20 reports across federal, state and private sector programs each month, all with their own set of quality reporting requirements, oftentimes very similar, but nonetheless still sufficiently different so as to warrant different reporting workflows,” CHIME explained.

Improving healthcare cybersecurity, advancing interoperability, and reducing regulatory burdens are all key areas for the industry, the letter asserted. However, there are still significant barriers hindering healthcare’s progress that must be adequately addressed. 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks