In an Oct. 31 letter to the Workplace of the Nationwide Cyber Director, the School of Healthcare Info Administration Executives (CHIME) and the Affiliation for Executives in Healthcare Info Safety (AEHIS) known as for higher coordination amongst Division of Well being & Human Companies businesses and really useful that the Facilities for Medicare & Medicaid Companies (CMS) develop a cybersecurity incentive program.
CHIME and AEHIS have been responding to a request for info on “alternatives for and obstacles to harmonizing cybersecurity rules.”
Launched by CHIME in 2014, AEHIS represents greater than 950 healthcare safety leaders and supplies training and networking for senior IT safety leaders in healthcare.
Setting the stage for suggestions, the letter notes that the Healthcare and Public Well being (HPH) Sector has the unlucky distinction of being the sector with essentially the most knowledge breaches in keeping with quite a few research. “Healthcare knowledge and data stay profitable targets for theft and exploitation, significantly via ransomware assaults,” they wrote. “Theft of information skyrocketed through the previous few years as legal teams and adversarial nation states capitalized on the COVID-19 pandemic through the use of social engineering, the exact same methods which have been efficiently used towards massive, publicly traded corporations with far higher sources than the vast majority of America’s healthcare supply organizations (HDOs). Well being knowledge breaches reported to the Division of Well being and Human Companies’ (HHS) Workplace for Civil Rights (OCR) dramatically elevated in 2023, on tempo to double final yr’s whole, in keeping with a Politico evaluation of the newest company knowledge.”
CHIME and AEHIS additionally level out the dire monetary state of affairs some supplier organizations are dealing with. “Many are being pressured to cut back their finances beneath benchmarks, and cybersecurity initiatives will probably find yourself not surviving these cuts,” the letter states. “Whereas the variety of sufferers that our hospitals and healthcare techniques take care of has remained regular, if not elevated, they’re now experiencing grievous monetary circumstances. And not using a answer, help, and adjustments in coverage on the federal degree – we concern and imagine that there are numerous extra HDOs which might be susceptible to closure throughout the nation.”
Responding to questions on how cybersecurity is coordinated and controlled, the letter famous that there are a number of areas of HHS which might be liable for cybersecurity – together with interfacing with the non-public sector. “This has created fragmentation and coordination challenges each inside HHS in addition to outdoors of the Division.”
The letter recommends that HHS ought to have interaction in additional training efforts, leverage CMS as an outreach channel to assist enhance publicity, and additional educate suppliers – particularly the small, rural, and under-resourced – with details about: 1) The 405(d) Program’s greatest practices; 2) The instruments which might be already out there without charge from the federal authorities together with these from CISA on danger evaluation and their cybersecurity hub; and three) NIST’s sources for small companies and their Nationwide Cybersecurity Heart of Excellence (NCCoE).
CHIME and AEHIS level out that just about all suppliers invoice Medicare and that CMS has a protracted historical past of working the EHR Selling Interoperability (PI) Program (previously known as the Significant Use Program). “Subsequently, we imagine CMS is uniquely suited to assist oversee a brand new cybersecurity incentive program. Nonetheless, not like the EHR PI Program, which started as an incentive program and graduated to a penalty construction, we imagine the cybersecurity wants in our sector are so dire and our sector’s monetary wants and workforce considerably depleted from combating the COVID-19 pandemic, that there must be no draw back danger to participation.”
Calling themselves sturdy supporters of the Nationwide Institute of Requirements and Expertise (NIST) Cybersecurity Framework (CSF), CHIME and AEHIS say they perceive that NIST is trying to string the needle in as far as the CSF has been developed as a device for use by a wide range of organizations, throughout completely different sectors with completely different wants.
“Whereas we recognize the steadiness NIST goals to strike, we imagine smaller, rural and under-resourced healthcare organizations will want extra prescriptive steps that they’ll take if we’re to allow them to enhance their cybersecurity posture,” they wrote.
“For instance, throughout the continuum of healthcare, one section that continues to current a considerable quantity of danger for our members are smaller doctor practices. They’ve a excessive want for training and sources given their cybersecurity posture stays immature. Once more, we aren’t suggesting a lot that NIST modify the CSF to accommodate completely different sectors and to be clear, that would create a further set of issues. A great place to begin for cybersecurity resource-challenged organizations is to coach them; for instance, directing them to the 405(d) Program’s HICP device, which is also a method measurement might happen in our sector, and might help in addressing a few of these challenges. Lastly, we imagine the main target should shift away from the mindset of how one healthcare supplier stacks up towards one other supplier – and focus extra on the person supplier’s personal maturity journey.”