CHIME, AEHIS want better health data threat transparency, more guidance


Two healthcare stakeholders are “pleased to see” greater attention being paid to cybersecurity of health information, but say that barriers persist to keeping patient data safe.

The comments, from the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS), are in response to an August request for information by the National Institute of Standards and Technology (NIST) on the state of cybersecurity in the digital economy.

In a letter to NIST, CHIME and AEHIS note the many challenges the industry has yet to overcome in this area.

Some of the changes to better protect patient information that must occur, they say, include:

  • More transparency of known threats so better offensive strategies can be created. Healthcare entities should be “indoctrinated” into info sharing programs, the groups add, to ensure healthcare professionals are educated on the threat landscape.
  • Increased guidance about current threats. These documents should not refer providers back to the NIST framework or other guidance, but should be created to be easily understood by professionals who are not security experts.
  • “Cybersecurity needs to be seen as a business issue related to patient safety, not just an information technology problem,” especially as the number of connected medical devices grows, they say. “From our perspective, cybersecurity is not just about securing patient information--it is about making sure patients are safe."
  • Guidance must be available to providers to help them assess threats they are able to control, not ones "outside of their domain."

The letter, however, is not all doom and gloom. CHIME and AEHIS also point to the ways cybersecurity actions are growing in healthcare. Those include efforts by the Health Care Industry Cybersecurity Task Force, updates to NIST’s risk management framework, a greater focus by the Food and Drug Administration on cybersecurity and passage of the Cybersecurity Information Sharing Act.