Healthcare Information Security

Cybersecurity News

CHIME Notes Cybersecurity Challenge in MACRA Final Rule

The MACRA final rule will bring payment and delivery reform, but there is also a cybersecurity challenge that must be addressed.

By Elizabeth Snell

More attention must be given to the current cybersecurity challenge and the persistent lack of interoperability across the nation’s health system must also be addressed in the final MACRA rule, according to the College of Healthcare Information Management Executives (CHIME).

Cybersecurity challenge needs to be addressed in MACRA, CHIME says

CHIME wrote a letter to Centers for Medicare & Medicaid Services (CMS) Acting Administrator Andy Slavitt, commenting on the new rule that will implement the Quality Payment Program.

Starting in January 2017, eligible clinicians will participate in either the Merit-Based Incentive Payment System (MIPS) or an Advanced Alternative Payment Model (APM), affecting 2019 Medicare reimbursements.

While CHIME said it supports the new payment model and delivery reform from the MACRA rule, there are also significant challenges that need to be addressed.

There is a key lack of interoperability in the US health system, there must be better synchronization across all Meaningful Use programs, and more attention must be given to cybersecurity.

Healthcare cybersecurity threats have increased, and as providers work to become more interoperable and implement new technologies, the threats will only continue to grow. With this in mind, CHIME explained that it was disappointed that CMS did not take its suggestion of giving credit to clinicians for working to strengthen their practices against cybersecurity threats.

“The transformation of our healthcare system is predicated on robust data exchange and the ability for clinicians to access data where and when they need it,” CHIME explained in the letter. “Meanwhile, patients are increasingly demanding ubiquitous access to their records. As healthcare grows more digital, more data is susceptible to compromise and we are seeing this play out with more breaches and highly-publicized headlines around ransomware.”

Medical device security is also a key area of concern, as the increased role of Internet of Things (IoT) will also open healthcare organizations up to more potential threats. Patient safety may be affected, CHIME noted.

“With the growing amount of healthcare information being accessible and moved electronically CHIME recommends CMS include as soon as possible clinical improvement activities that incent clinicians to take steps to better ward off cybersecurity threats and engage in good cyber hygiene.”  

Along with a closer look at cybersecurity threats, CHIME also outlined the following areas of recommendation for CMS:

  • Make 2018, in addition to 2017, a year of transition
  • Adopt a single set of standards to facilitate more seamless data exchange
  • Align health IT reporting requirements across all provider settings
  • Create new data blocking provisions, including limiting the data blocking attestation to statement one at this time

Overall, CHIME explained that for the new payment and delivery reform model to succeed, the healthcare industry needs a “high-performing, interoperable and secure technical infrastructure.”

The steps CMS has already taken to improve the flexibility for clinicians to utilize health IT for better outcomes is important. Having a 90-day reporting period under the rule and fewer measures that must be met under the Advancing Care Information (ACI) performance category are also key steps.

“We also endorse CMS’ decision to make 2017 a transition year and allowing clinicians to proceed at a pace that best suits their practice and patient needs,” the letter stated.   

Healthcare cybersecurity has been a key area of concern for CHIME, with the organization even establishing the CHIME Cybersecurity Center and Program Office earlier this year.

With the center, CHIME had hoped to advance healthcare information sharing, create and distribute cybersecurity best practices, and foster partnerships with federal agencies.

“Cyber threats are becoming more sophisticated and more dangerous every day,” CHIME President and CEO Russell Branzell said in an earlier statement. “Today the focus is ransomware, tomorrow it will be something else. As an industry, we need to pull together and share what’s working so that we can effectively safeguard our systems and protect patients.”

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks