In an Oct. 31 letter to the Workplace of the Nationwide Cyber Director, the Faculty of Healthcare Data Administration Executives (CHIME) and the Affiliation for Executives in Healthcare Data Safety (AEHIS) referred to as for larger coordination amongst Division of Well being & Human Providers businesses and beneficial that the Facilities for Medicare & Medicaid Providers (CMS) develop a cybersecurity incentive program.
CHIME and AEHIS had been responding to a request for data on “alternatives for and obstacles to harmonizing cybersecurity laws.”
Launched by CHIME in 2014, AEHIS represents greater than 950 healthcare safety leaders and gives training and networking for senior IT safety leaders in healthcare.
Setting the stage for suggestions, the letter notes that the Healthcare and Public Well being (HPH) Sector has the unlucky distinction of being the sector with probably the most information breaches based on quite a few research. “Healthcare information and data stay profitable targets for theft and exploitation, significantly by ransomware assaults,” they wrote. “Theft of information skyrocketed throughout the previous few years as prison teams and adversarial nation states capitalized on the COVID-19 pandemic through the use of social engineering, the exact same strategies which were efficiently used in opposition to giant, publicly traded corporations with far larger sources than the vast majority of America’s healthcare supply organizations (HDOs). Well being information breaches reported to the Division of Well being and Human Providers’ (HHS) Workplace for Civil Rights (OCR) dramatically elevated in 2023, on tempo to double final yr’s complete, based on a Politico evaluation of the newest company information.”
CHIME and AEHIS additionally level out the dire monetary scenario some supplier organizations are going through. “Many are being compelled to scale back their funds beneath benchmarks, and cybersecurity tasks will possible find yourself not surviving these cuts,” the letter states. “Whereas the variety of sufferers that our hospitals and healthcare techniques take care of has remained regular, if not elevated, they’re now experiencing grievous monetary circumstances. And not using a resolution, help, and modifications in coverage on the federal degree – we worry and imagine that there are various extra HDOs which can be susceptible to closure throughout the nation.”
Responding to questions on how cybersecurity is coordinated and controlled, the letter famous that there are a number of areas of HHS which can be accountable for cybersecurity – together with interfacing with the non-public sector. “This has created fragmentation and coordination challenges each inside HHS in addition to outdoors of the Division.”
The letter recommends that HHS ought to have interaction in additional training efforts, leverage CMS as an outreach channel to assist enhance publicity, and additional educate suppliers – particularly the small, rural, and under-resourced – with details about: 1) The 405(d) Program’s greatest practices; 2) The instruments which can be already out there for gratis from the federal authorities together with these from CISA on danger evaluation and their cybersecurity hub; and three) NIST’s sources for small companies and their Nationwide Cybersecurity Heart of Excellence (NCCoE).
CHIME and AEHIS level out that almost all suppliers invoice Medicare and that CMS has a protracted historical past of working the EHR Selling Interoperability (PI) Program (previously known as the Significant Use Program). “Due to this fact, we imagine CMS is uniquely suited to assist oversee a brand new cybersecurity incentive program. Nonetheless, not like the EHR PI Program, which started as an incentive program and graduated to a penalty construction, we imagine the cybersecurity wants in our sector are so dire and our sector’s monetary wants and workforce considerably depleted from preventing the COVID-19 pandemic, that there ought to be no draw back danger to participation.”
Calling themselves robust supporters of the Nationwide Institute of Requirements and Expertise (NIST) Cybersecurity Framework (CSF), CHIME and AEHIS say they perceive that NIST is trying to string the needle in as far as the CSF has been developed as a instrument for use by quite a lot of organizations, throughout totally different sectors with totally different wants.
“Whereas we recognize the stability NIST goals to strike, we imagine smaller, rural and under-resourced healthcare organizations will want extra prescriptive steps that they will take if we’re to allow them to enhance their cybersecurity posture,” they wrote.
“For instance, throughout the continuum of healthcare, one section that continues to current a considerable quantity of danger for our members are smaller doctor practices. They’ve a excessive want for training and sources given their cybersecurity posture stays immature. Once more, we aren’t suggesting a lot that NIST modify the CSF to accommodate totally different sectors and to be clear, that might create an extra set of issues. A great start line for cybersecurity resource-challenged organizations is to coach them; for instance, directing them to the 405(d) Program’s HICP instrument, which is also a technique measurement might happen in our sector, and may help in addressing a few of these challenges. Lastly, we imagine the main focus should shift away from the mindset of how one healthcare supplier stacks up in opposition to one other supplier – and focus extra on the person supplier’s personal maturity journey.”
