Healthcare Cybersecurity: Helping the Little GuyGroup Pushes for Changes in Federal Rules to Pave the Way for Donations
Federal regulators are being asked to relax anti-kickback rules so that resource-strapped healthcare providers can accept certain donations or subsidies of cybersecurity products and services.
The Healthcare and Public Health Sector Coordinating Council's Cybersecurity Working Group has written a letter to the Department of Health and Human Services asking for the change.
HSCC includes 198 healthcare organizations, companies and associations from across the healthcare industry who are working in collaboration with the government to develop and implement ways to strengthen the sector's security and resiliency against cyber and physical threats.
HSCC wrote a letter to CMS Administrator Seema Verma in response to a CMS request for information seeking input on addressing the "undue regulatory impact and burden" of the Physician Self-Referral Law.
More commonly called the Stark law, the regulation, enacted in 1989, is designed to remove financial incentives for referring patients for healthcare services.
Back in 2006, CMS and HHS's Office of the Inspector General issued final rules establishing exceptions to the Stark regulation and creating safe harbors to its related "Anti-Kickback Act Regulation," allowing the donation of nonmonetary remuneration - including items and services in the form of software or training services - for creating, maintaining, transmitting or receiving electronic health records. Those exceptions, originally scheduled to sunset in 2013, were extended by HHS until the end of 2021.
Now HSCC is recommending similar exceptions to allow for the donation of or subsidies for cybersecurity technology and services to healthcare providers. The group also says if CMS lacks the authority to take action to create an exemption to the Stark law, it should ask Congress to take action.
In its letter to CMS, HSCC notes that the Healthcare Industry Cybersecurity Industry Task Force, which was created under the Cybersecurity Information Sharing Act of 2015, in a 2017 report included a similar proposal.
In its letter to CMS, HCSS writes: "Creating a Stark exception that allows providers to donate cybersecurity technology ... hardware and software, training and tools, to other providers - for example, under-resourced or less sophisticated ones - will improve the overall cybersecurity posture of our industry and will help guard against cyberattacks that threaten patient safety."
For example, a large hospital or delivery system might provide assistance to small, independent clinics.
Cybersecurity risk management in the healthcare sector cannot succeed if enterprises are only able to act independently, the group contends. "As the healthcare system is an interconnected and interdependent network, cyber threats are a shared challenge and a shared responsibility, which requires a team effort," HCSS writes.
Greg Garcia, executive director of the Joint Cybersecurity Working Group of HCSS, tells Information Security Media Group: "Big or small, everyone has a responsibility to not just protect what's in their four walls, but also the larger ecosystem."
The need to ramp up security safeguards is increasing as a result of the growth of secure, interoperable exchange of patient information in the quest for better coordinated care, as well as the expanding interconnectedness of systems and devices, he notes.
Properly securing systems, devices and data is a problem for many resourced-strapped healthcare entities, says Mari Savickis, vice president of federal affairs at the College of Healthcare Information Management Executives, who is an HCSS workgroup co-chair.
"There is no slush fund for cybersecurity software, hardware or expertise."
—Mari Savickis, CHIME
"There is no slush fund for cybersecurity software, hardware or expertise," she says. "We're looking for existing places that might be able to help," such as through donations and subsidies for cybersecurity technology.
"We haven't considered who the donors might be," she says. But depending on how HHS could potentially craft an exception, donors could potentially include other healthcare entities or technology and services firms, she adds.
Haves and Have Nots
Privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek, says securing healthcare information networks requires that each participant has risk-based controls in place to protect the data.
"The enterprise information systems operated by integrated health systems often include a network of affiliated community-based treatment providers," he says. "The capabilities of information security programs in each of these community healthcare practices are critical to the security of the enterprise information system."
Unfortunately, the healthcare industry is divided into "the haves and have nots," Holtzman says.
"Many small healthcare providers and organizations report they feel that they lack the expertise, human resources and funding for maintaining information security programs that are able to keep up with the evolving cybersecurity threats," he says.