- In two separate publications, HIMSS has stressed the need for nationwide secure data exchange and also maintained that healthcare must have “a champion at HHS encouraging stakeholders to be proactive and relentlessly vigilant about cybersecurity.”
First, the HIMSS Interoperability & HIE Committee led a Call to Action urging interoperability and that secure, appropriate, and ubiquitous data access and electronic exchange of health information” is necessary.
“For many years, HIMSS and our valued collaborators have worked relentlessly on ensuring individuals and organizations routinely use secure, trust-worthy, interoperable technologies and work flows to promote wellness, as well as protect and improve the health status of patients and populations,” the agency stated. “While we’ve made much progress, and entire careers have been spent creating the building blocks and putting them in-place, our work is not complete.”
HHS must demand better integration between interoperability approaches and trusted exchange frameworks, HIMSS explained. This will lead to “semantic interoperability and data access that improves the quality and cost effectiveness of care delivery for the public good.”
The healthcare community must also be properly educated on existing and emerging standards, data formats, and use cases with regard to secure data exchange.
“Three of the biggest challenges limiting standards implementation revolve around quality, the level of consistency in the use of the standards, and the complexity of versioning (e.g. C-CDA Release 1.1 vs 2.0 vs 2.1),” the Call to Action reads. “HIMSS supports continued efforts to develop a Measurement Framework to understand and drive consistency in standards implementation and use.”
HIMSS also listed the following areas as part of its Call to Action:
- Ensure stakeholder participation from across the care continuum, including patients and caregivers
- Identify the “minimum necessary” business rules for trusted exchange to enhance care coordination
- Standardize and adopt identity management approaches
- Improve usability for data use to support direct care and research.
The healthcare industry will also benefit from an established cybersecurity leadership role within HHS, according to the HIMSS Public Policy Committee.
HIMSS submitted three “Congressional Asks” toward the end of September 2017, and stated that healthcare cybersecurity is a top concern for the industry.
A large-scale cybersecurity incident could have an adverse effect on patient safety, in addition to impacting organizations’ finances and reputations, the agency said.
“By passing Section 405 of the Cybersecurity Act of 2015 (requiring HHS to create a cybersecurity task force to make recommendations and identify best practices, methodologies and guidelines), Congress took an important first step in creating processes to provide tools and resources to assist the health sector in better identifying and defending against cyber threats,” HIMSS wrote in its letter to Congress.
Congress should pass legislation that elevates the HHS CISO to a peer of the HHS CIO, HIMSS continued. Furthermore, the CISO should be responsible for creating a sector-specific plan on establishing cybersecurity goals and priorities.
This can include ensuring adequate threat and asset response, and creating a plan of action for such effective response. Holistic security will also be important, with proper healthcare cybersecurity education for all stakeholders, such as software manufacturers and healthcare providers.
Healthcare cybersecurity legislation should also cover the following areas:
- Fostering interdependence between the health sector and additional critical infrastructure sectors
- Expanding the pool of qualified cybersecurity personnel to work in the health sector
- Advancing workforce education on privacy and security awareness at health-related organizations and a plan of action to enable the same, such as through the widespread dissemination of key messages prominently displayed in common areas (e.g., breakrooms)
- Incorporating lessons learned from Health IT Regional Extension Centers and other successful programs to advance greater outreach to small providers
- Advancing bidirectional, timely cyber threat information sharing between the federal government and health sector stakeholders, such as through the National Cybersecurity and Communications Integration Center (NCCIC), the Health Cybersecurity and Communications Integration Center (HCCIC) and other means
- Advancing the state of health IT by creating a plan of action that incorporates privacy and security best practices.
The Congressional Asks also urged Congress to pass the CONNECT for Health Act of 2017 and to invest in infrastructure to support 21st Century healthcare.