HHS security policies should focus on incentives, not penalties, health IT leaders say

The federal government needs to provide more resources and incentives to help healthcare organizations better protect their IT systems and data from cyberattacks, according to health IT security leaders.

Currently, the Department of Health and Human Services’ privacy and security standards are too focused on compliance and are unduly punitive to healthcare provider organizations when a breach occurs, they said. 

“It is vital that Congress and HHS identify a pathway for ensuring providers do not unduly shoulder the burden of protecting protected health information in situations outside their control,” wrote leaders of the College of Healthcare Information Management (CHIME) and the Association of Executives in Healthcare Information Security (AEHIS) in a letter to Sen. Mark Warner, D-Va. The letter, penned by CHIME president and CEO Russell Branzell and AEHIS advisory board chair Sean Murphy, was in response to Warner’s request for comment about the state of healthcare cybersecurity.

“Providers with limited resources struggle to balance the huge demands for cybersecurity technology and information risk management programs,” Branzell and Murphy wrote. “Threats to healthcare organizations are growing more sophisticated every day and too many health systems are not properly equipped to combat the myriad of attacks that could penetrate their networks.”

RELATED: OIG finds vulnerabilities in HHS cybersecurity controls, detection—report

Healthcare entities grapple daily with an onslaught of cybersecurity threats, both to patient data and the systems in use to provide lifesaving care.

“While the cybersecurity posture of the sector has improved, there remains a great way to go,” the organizations said.

Progress is being made, Branzell and Murphy said, as health systems have increased investments in wide-scale cybersecurity efforts. They are reducing the number of vendors being used and growing security teams but are doing so with limited financial resources. Only 29% of 618 health systems surveyed said they had a comprehensive security program in place, according to a 2018 CHIME survey.

Healthcare organizations also are largely adopting a risk-based approach to cybersecurity and risk mitigation. Yet much of the risk assessment efforts have been limited to those risks posed by electronic health records and not across the entire enterprise, according to CHIME and AEHIS.

Many healthcare CIOs and CISOs continue to struggle with establishing a complete inventory of all connected systems in use across their enterprises, and this is exacerbated by a lack of streamlined procurement of devices, systems and technology across an organization.

Staying up-to-date with software patches also continues to be a significant challenge for healthcare organizations. In the letter, CHIME cited one large urban hospital system that became aware of 600,000 vulnerabilities in its software and connected devices in June 2016. The organization has since launched a concerted effort to improve their cybersecurity posture, expanded their security teams and increased financial investment in cybersecurity. Through these efforts, the health system has taken their vulnerability count down to about 30,000.

Even if an organization is aware of a vulnerability, a patch either may not exist or the health system may not be able to administer it, the organizations said.

RELATED: Data of 45,000 Rush patients exposed due to third-party breach

Healthcare provider organizations also face workforce challenges including a shortage of cybersecurity professionals, stretched resources and other sectors poaching cybersecurity talent.

Currently, resources and efforts at the federal level are often focused on compliance with the Office of Civil Rights requirements. Audits by OCR are perceived as being punitive and don’t help an organization recover or learn from a breach, CHIME and AEHIS said.

One way the federal government can help is to provide more funding for cybersecurity efforts and incentives for provider organizations. Incentives could include safe harbors from OCR penalties for organizations that demonstrate and certify cybersecurity readiness, the organizations said, although this change may require Congress to amend provisions of the HITECH Act.

Security leaders also recommend that HHS pursue policies which reward providers and other covered entities for engaging in good faith efforts to prevent cybersecurity attacks rather than being unduly punitive. An example of this would be an organization demonstrating sufficient compliance with a system such as the National Institute of Standards and Technology cybersecurity framework and other best practices.

“HHS must reconsider their breach reporting standard to focus on processes and outcomes that will improve a provider’s cybersecurity posture, not be strictly compliance focused,” they said.

The organization also called for exemptions to the Stark and Office of Inspector General anti-kickback statutes to allow donations of cybersecurity training and education services as well as software and technology such as firewalls and intrusion detection and prevention systems.

There also is a need for increased cybersecurity coordination across HHS—for instance, the Food and Drug Administration and OCR need to align their guidance and enforcement activities, the organizations said.