The Department of Health and Human Services is exploring potential changes to the agency’s “wall of shame,” a legislatively mandated website that tracks healthcare data breaches dating back to 2009.
During a hearing addressing cybersecurity concerns in healthcare last week, Leo Scanlon, deputy chief information security officer at HHS, told Rep. Michael Burgess (R-Texas) that Secretary Tom Price is reassessing the website overseen by the Office for Civil Rights. Burgess criticized the portal—commonly known as the “wall of shame”—during an April subcommittee, arguing the website was unnecessarily punitive.
“We heard you loud and clear at that hearing and we took that matter back to the Secretary,” Scanlon said, noting that any modifications could be addressed within the agency. “He has taken it very seriously and is working on an effort to address the concerns you raised.”
Burgess is worried the public display is unfair to providers and payers that are attacked through no fault of their own. He also questioned whether the website and the looming threat of an OCR investigation impede threat sharing, an issue HHS plans to address through its new Healthcare Cybersecurity Communications Integration Center (HCCIC).
“I am supportive of efforts to protect patient information,” Burgess said in a statement to FierceHealthcare. “However, I remain concerned by OCR’s usage of the Breach Portal and the public exposure of victims. I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”
However, HHS is limited in the changes it can make to the portal without help from Congress. Under the 2009 HITECH Act, the agency is required to post healthcare data breaches to a website accessible to the public.
But HHS has some leeway in how it manages the breach portal. Modifications to the portal could place limits on the amount of time an entity is listed on the website—one of the few changes the agency could make without congressional intervention.
“They could make it six months if they wanted to,” said Marcy Wilder, a partner at Hogan Lovells in the District of Columbia and the former deputy counsel at HHS. “I think the agency has significant discretion on what they post and for how long.”
A spokesperson for OCR declined to answer specific questions about what changes it's considering or whether the agency will put time limits on the website, but a statement by OCR Director Roger Severino acknowledged the agency is evaluating its options.
“The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” Severino said. “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”
Privacy attorneys are split on what impact changes might have. Wilder argued she “doesn’t see the value of providing information going back to 2009,” adding that the agency needs to balance compliance and enforcement with threat sharing.
Among healthcare organizations, there is a fear that sharing information about cyberthreats will lead to an investigation and potential fines from OCR, according to Leslie Krigstein, vice president of congressional affairs at the College of Healthcare Information Management Executives (CHIME).
“Ultimately, you’re potentially sharing this information with the department that regulates you,” she said.
But Lucia Savage, chief privacy and regulatory officer at Omada Health, a digital therapeutics company that focuses on chronic disease, and the former chief privacy officer at the Office of the National Coordinator for Health IT, said HHS is “extremely cognizant” that threat reporting doesn’t trigger subsequent investigations. She added that she wasn’t aware of an instance in which an entity reported a cyberthreat to HHS and was audited by OCR as a result.
In guidance issued last year, the OCR indicated the government considers ransomware a data breach, which would require the entity to notify patients, the HHS secretary and the news media. However, a checklist (PDF) issued earlier this month specified that OCR doesn’t receive reports of cyberthreat indicators from HHS.
“My experience [is that people at HHS] are extremely conscious about that,” she said.
Leon Rodriguez, a partner at Seyfarth Shaw LLP who served as the OCR’s director from 2011 to 2014, acknowledged it wouldn’t be “a disaster” to limit the length of time an entity is listed on the breach portal website, but he questioned whether changes would undermine the portal’s objectives—to inform the public and understand why a data breach occurred.
“I don’t see where the world’s come to an end because of the way it’s been done so far,” he said.