- HHS’ Office of Inspector General (OIG) should create an exemption allowing donations of training/education services, software, and technology to improve healthcare cyber hygiene, according to the Association for Executives in Healthcare Information Security (AEHIS).
AEHIS wrote a letter in response to OIG’s proposed rule, Solicitation of New Safe Harbors and Special Fraud Alerts that was published in December 2017. The rule would allow for certain safe harbor provisions, such as those that would affect access to healthcare services or competition among healthcare providers.
Certain healthcare providers have limited resources when it comes to cybersecurity, AEHIS stated. The increasingly connected healthcare infrastructure puts greater pressure on organizations to have strong cyber hygiene to keep data secure. Better IT infrastruture security will also ensure that patient safety remains a top priority.
“This interconnected environment poses additional risks as other, non-medical devices are increasingly being connected to a health system’s ecosystem (i.e., smart microwaves and HVAC units),” the letter said. “Together, the healthcare sector has become a prime target for cyberattacks.”
OIG should permit donations for cyber services and technologies to help healthcare providers that may have fewer available resources for cybersecurity measures, AEHIS suggested.
Citing the Cybersecurity Industry Task Force Report, AEHIS also discussed issues that stem from anti-kickback and Stark statutes.
“Physician groups confront a myriad of financial challenges,” the report said. “Often these financial constraints limit their ability to manage the EHR software without trained security professionals who have the expertise to provide sufficient cybersecurity programs to protect their patient records.”
Smaller providers or suppliers need to be empowered with their cybersecurity approach, and a lack of available resources could hinder that process, the Task Force explained.
AEHIS agreed, stressing that “an exemption to the anti-kickback statute that permits for donations of services that further an entity’s cyber posture is warranted.”
There could be limitations around such an exemption, the letter acknowledged. However, the exemption may be very helpful for the industry if it adheres to the requirements OIG noted that exist around donating an EHR.
“We recommend that the OIG tailor an exemption that permits donations of training / education services, software, and technology,” AEHIS concluded. “Technologies with the greatest impact on improving cyber hygiene, as identified by CIOs and CISOs include firewalls / IDPs, antivirus / malware, email filtering / encryption, DLP, and advisory services.”
HIMSS also noted the importance of healthcare cybersecurity infrastructure earlier in 2018 when it submitted comments on NIST’s second draft of its Cybersecurity Framework (the Framework).
Cybersecurity is increasingly complex and the US continues to rely on information technology and operational technology (OT) assets, HIMSS said. The interoperability push will further affect this. Multi-dimensional endeavors for cybersecurity will therefore be more necessary.
“HIMSS supports NIST’s inclusion of holistic security principles throughout the Framework—including the alignment of cybersecurity risk management with the 2 business context and resources that support critical functions,” stated the letter. “Our Call to Action also advocates for adoption and use of the Framework, as well as fostering the growth of the healthcare cybersecurity workforce.”
HIMSS pointed out that connected devices and Internet of Medical Things (IoMT) devices could impact patient care if the devices become compromised through a cybersecurity attack.
“HIMSS strongly recommends that we need guidance to assist owners and operators of critical infrastructure—including (but not limited to) in healthcare,” HIMSS wrote. “The healthcare sector has numerous dependencies upon other critical infrastructure sectors—and, indeed, healthcare touches everyone and virtually everything.”
Healthcare providers are aware though of the potential risk to patient safety. Hospital leadership said patient safety was their top priority for the coming year, according to the 2018 HIMSS US Leadership and Workforce Survey. Privacy, security, and cybersecurity were ranked as the second most important priority.
Vendors and consultants did not necessarily share the same priorities, which researchers noted could create difficulties within the healthcare industry.
“The assessment of ‘Patient Safety’ by Hospital respondents is not only their top issue but one in which Vendors/Consultants truly assess (statistically) differently,” report authors wrote. “This finding suggests Vendors/Consultants and their Hospital clients/prospects may be ‘talking past’ each other on this issue and as such, presents as an opportunity for Vendors/Consultants to re-evaluate their assessment of this issue.”