- The College of Healthcare Information Management Executives recently sent a list of recommendations to the Senate Committee on Health, Education, Labor, and Pensions (HELP), outlining the need to include cybersecurity in policies designed to address the rise in healthcare costs.
The Senate HELP committee recently released a request for information to address rising costs to healthcare. CHIME included the need for cybersecurity measures and regulatory changes to support providers in addressing threats to patient data, in its list of recommendations for reducing those costs.
For CHIME, while technology and data sharing are “vital to enhancing” care quality and efficiency, any policies to support those digital changes must include cybersecurity measures to protect patient data.
Specifically, CHIME explained that HIPAA doesn’t equal strong cybersecurity. As these attacks have continued on the sector, they’ve proven to be highly disruptive and often crippling—- highlighted by the NotPetya and WannaCry attacks in 2017.
“To offer an overarching recommendation for the committee’s consideration, as patient health data becomes digital and more fluid, we must ensure the implementation of stringent privacy and security standards,” CHIME President and CEO Russell Branzell and Board Chair Shafiq Rab wrote.
As a result, CHIME asked the committee to address the increasing cybersecurity threats to patient data “and ensure that security is included in any policy recommendations.”
“As we increase interoperability, additional threats to data integrity will arise,” Rab and Branzell wrote. “Without proper safeguards, the safe and secure transmission of sensitive data will continue to be a challenge and will hinder efforts to care outcomes.”
To CHIME, part of the issue lies within the challenges providers face attempting to meet the Department of Health and Human Services’ privacy and security requirements: for some it can be “staggering.” Further, Office for Civil Rights Audits are seen as punitive, rather than helpful to providers when attempting to recover and learn from a breach.
“Providers today must dedicate highly valuable resources to navigate a complex and often unbalanced and punitive regulatory landscape,” they wrote. “Resources and efforts are often focused on compliance with OCR requirements, which may not always represent the greatest threats faced by a healthcare provider, diminishing rather than aiding their ability to guard protected health information.”
Instead, Congress and HHS must “identify a pathway for ensuring providers do not unduly shoulder the burden of protecting PHI in situations outside their control,” CHIME argued. Safe harbors from resolution agreements can also help fuel proactive collaboration and act as an incentive for providers able to demonstrate and certify “cybersecurity readiness.”
These changes may warrant Congress to amend some provisions of the HITECH Act and encourage cybersecurity investment, CHIME explained. Congress may also consider revising some definitions found in HITECH, including breaches, “as to not presume guilt.”
CHIME also recommended HHS start offering providers better guidance for analyzing and assessing threats within their control, rather than those out of their domain, while “OCR should acknowledge and recognize provider efforts and investments to safeguard information and information systems when assessing the scope and magnitude of enforcement actions.”
For example, Congress should instead encourage HHS to pursue policies that reward providers and other covered entities “for engaging in good faith efforts to prevent cybersecurity attacks rather than unduly punitive ones.”
A good measure would be to demonstrate compliance with the NIST cybersecurity framework, CHIME explained.
“Providers must be able to maximize protections allowed under business associates agreements by redistributing responsibility for security more evenly among covered entities and their business associates,” CHIME recommended.