Two laws designed to prevent fraudulent payments in healthcare are making it difficult for smaller, under-resourced providers to get the cybersecurity assistance necessary to protect themselves from global threats like last month’s WannaCry attack.
Buried among more than 100 recommendations by the Department of Health and Human Services' Cybersecurity Task Force report was a call for Congress to reexamine the Anti-Kickback Statute and the Physician Self-Referral Law, commonly referred to as Stark Law.
The regulations are designed to prevent healthcare organizations from offering inducements to beef up patient referrals. However, larger healthcare providers are concerned that under the current laws, they are legally prohibited from helping smaller organizations and physician practices acquire cybersecurity software.
Severe cybersecurity workforce shortages have exacerbated the challenges that small- and medium-sized providers already face. Joshua Corman, director of the cyber statecraft initiative at Atlantic Council’s Brent Scowcroft Center, founder of I Am The Cavalry and a member of the HHS task force, estimates that 85% of providers don’t have a single dedicated security professional on staff, including a large number of physician practices and small hospitals.
On a press call hosted by the Atlantic Council, several task force members said that the recommendations were not intended to lay blame on smaller providers, but instead point out the challenges that many of them face and highlight the need for a more collaborative approach to close those gaps.
Jackie Monson, the chief privacy and information security officer at Sutter Health in Sacramento, California, said her organization is connected to about 5,000 physicians that see patients in a clinical setting or at the hospital, but they're unable to offer them any cybersecurity assistance.
“If we want to provide technology around cybersecurity today to make sure they are secure, we would essentially violate Stark and the Anti-Kickback Statute,” she said.
Congressional action might not be necessary. HHS can grant safe harbors to include specific services. In 2006, for example, the HHS Office of Inspector General granted a safe harbor allowing hospitals to “donate” EHR systems to physician practices.
“We need to empower small providers or suppliers (e.g., physician practices) to actively manage their security posture, not hinder them,” the HHS Task Force wrote. “Often organizations want to provide technology to ensure smaller business partners do not become a liability in the supply chain.”