- The Healthcare Sector Coordinating Council (HSCC) asked the HHS OIG for a waiver to the anti-kickback rules to enable the donation of healthcare cybersecurity technology and services to improve the cybersecurity of smaller healthcare providers, protect patient safety and data, and promote secure data exchange.
In developing the exception, the HSCC recommended that OIG work with public and private sector experts to develop a definition of cybersecurity technology, the council said in its comments submitted Oct. 26 to HHS OIG in response to its request for information regarding the anti-kickback statute and beneficiary inducements civil monetary penalty (CMP).
“Creating a waiver under the anti-kickback rules that allows for the donation of cybersecurity technology (both hardware and software), training, and tools to providers (i.e. under-resourced or less sophisticated ones) will improve the overall cybersecurity posture of our industry and will help guard against cyberattacks that threaten patient safety,” HSCC argued in its comments.
“The security of the healthcare system is only as strong as its weakest link, so it would benefit the entire healthcare industry to support the provision of cybersecurity resources outside of large health systems. Doing so would help to protect a community’s larger systems, as well as the affiliated small and medium-sized practices,” the HSCC added.
In its comments, the council noted that cybersecurity threats endanger patient safety, citing recent studies that demonstrate that cybersecurity vulnerabilities can compromise care.
A study by the University of California concluded that patients are being hurt by cybersecurity vulnerabilities in healthcare infrastructure that open organizations up to ransomware and malware attacks as well as compromised EHRs and other systems.
Another study by Vanderbilt University determined that data breaches can lead to patient deaths. After examining HHS data, the researchers determined that data breaches were associated with higher hospital 30-day acute myocardial infarction (AMI) mortality rates in the years following a breach.
“The .34 to .45 percentage point increase in 30-day AMI mortality rate after a breach was comparable to undoing a year’s worth of improvements in mortality rate,” the Vanderbilt researchers concluded. In addition, changes to health IT and patient care processes following a data breach resulted in usability problems and other side effects that frustrated clinicians and disrupted patient care.
In addition to data breaches, vulnerabilities in medical devices can pose risks to patients, as noted in a recent HealthITSecurity.com feature.
This risk to patients from vulnerable medical devices is a focus of the FDA's regulatory efforts in this area.
“From where we sit, our mission is in terms of protection and promotion of public health; our great concern is for the medical device’s ability to perform in the way that it is supposed to perform — what we call its intended use,” said Suzanne Schwartz, FDA associate director for science and strategic partnerships at the Center for Devices and Radiological Health.
If the functionality of a medical device is impacted by a vulnerability, this could affect patient safety and the public health community, she told HealthITSecurity.com.
The FDA focuses on providing regulatory incentives to industry to encourage them to be proactive in finding vulnerabilities and addressing them in a timely manner.
“We are concerned about the times when malware or ransomware attacks can affect the clinical operations of an entire healthcare organization by shutting down equipment. That is an area that certainly we’re paying very close attention to,” Schwartz said.
The FDA emphasizes building community and collaboration by bringing together stakeholders and giving them a voice. This enables them to work together as a community towards addressing medical device security, Schwartz explained.
“The push has been towards being proactive as opposed to reactive. We have seen over the past few years some really substantial progress, and we are encouraged by what we’ve seen across the ecosystem with regard to manufacturers really being champions in certain areas, as well as working together with healthcare delivery organizations,” she said.