HHS Proposes Allowing Cybersecurity Donations to Doctors'Safe Harbor' Would Modify Stark Law, Anti-Kickback Regulations
Federal regulators are proposing a "safe harbor" that would permit hospitals to donate certain cybersecurity software and services to physicians. The move would modify the so-called Stark Law and federal anti-kickback regulations.
Reacting to the proposal, privacy and security attorney Stephen Wu of the law firm Silicon Valley Law Group notes: "In the short run, anything that can help doctors improve their cybersecurity is good. However, in the long run, you don't want doctors to be overly dependent on hospitals for their cybersecurity."
In a statement Wednesday, the Department of Health and Human Services said its two proposed rules - one issued by the Centers for Medicare and Medicaid Services, and the other by HHS Office of Inspector General - aim to "modernize and clarify the regulations that interpret the Physician Self-Referral Law - the 'Stark Law' - and the Federal Anti-Kickback Statute."
Portraying the proposals as a way to help improve patient care coordination by ensuring secure health information exchange, HHS says the two rules would "provide greater certainty for healthcare providers participating in value-based arrangements and providing coordinated care for patients. The proposals would ease the compliance burden for healthcare providers across the industry, while maintaining strong safeguards to protect patients and programs from fraud and abuse."
The proposals are part of what HHS calls its "regulatory sprint to coordinated care," designed to "promote value-based care by examining federal regulations that impede efforts among providers to better coordinate care for patients."
CMS and OIG Proposals
"We believe this proposed safe harbor could help improve the cybersecurity posture of the healthcare industry."
"We are proposing to amend the EHR exception to clarify that the exception is available - and always has been available - to protect certain cybersecurity software and services, and to more broadly protect the donation of software and services related to cybersecurity," HHS writes.
In its proposed rule, HHS OIG says it wants to create a new safe harbor "to protect donations of certain cybersecurity technology and related services with appropriate safeguards. We believe this proposed safe harbor could help improve the cybersecurity posture of the healthcare industry by removing a real or perceived barrier that would allow parties to address the growing threat of cyberattacks that infiltrate data systems and corrupt or prevent access to health records and other information essential to the delivery of healthcare."
Strengthen 'Weakest Link'
In recent years, HHS received "numerous comments and suggestions" urging the creation of a safe harbor to protect donations of cybersecurity technology and services, the OIG notes.
"The digitization of the healthcare delivery system and related rules designed to increase interoperability and data sharing in the delivery of healthcare create numerous targets for cyberattacks," OIG writes. "The healthcare industry and the technology used to deliver healthcare have been described as an interconnected 'ecosystem' where the 'weakest link' in the system can compromise the entire system."
Physician practices are indeed "less likely to engage in proactive cybersecurity hygiene," notes regulatory attorney Marti Arvin, executive adviser at security consultancy CynergisTek.
"By allowing a connection to improve care coordination, hospitals are potentially opening up their more secure environment to the vulnerabilities of the physician practice," she says. "Because care coordination may mean connecting multiple entities the risk is multiplied. The entity with the weakest cybersecurity practices it the biggest vulnerability. By allowing one healthcare organization to donate cybersecurity services and technology that can improve the cybersecurity posture of the other entities being linked together, it diminishes the risk and allows for the improved flow of data to improve care coordination."
HHS notes that its cybersecurity task force called for the creation of a cybersecurity-related safe harbor in federal anti-kickback laws.
The proposed safe harbor would protect "certain cybersecurity donations," OIG explains.
"We propose to protect nonmonetary remuneration in the form of certain types of cybersecurity technology and services. Specifically ... we propose to define 'cybersecurity' to mean 'the process of protecting information by preventing, detecting and responding to cyberattacks,'" OIG writes. "We propose to include within the scope of covered technology, any software or other types of information technology, other than hardware."
The safe harbor proposal would impose a number of conditions on cybersecurity donations.
For instance, OIG says it would not permit the donation of hardware, such as laptops, because such donations "with multiple uses outside of cybersecurity present a greater risk that the donation is being made to influence referrals."
Nonetheless, OIG adds, "we are considering for the final rule adding limited protection for specific hardware that is necessary for cybersecurity, [that] is stand-alone - i.e., is not integrated within multifunctional equipment - and serves only cybersecurity purposes, for example, a two-factor authentication dongle - and solicit comments on what types of hardware might qualify and whether we should protect them under this safe harbor."
OIG adds that the safe harbor also would not extend to other types of cybersecurity measures outside of technology or services. "For example, this safe harbor would not protect donations of installation, improvement or repair of infrastructure related to physical safeguards, even if they could improve cybersecurity - for example, upgraded wiring or installing high security doors," OIG writes.
"Donations of infrastructure upgrades are extremely valuable and have multiple benefits in addition to cybersecurity ... which pose an increased risk that one purpose of the donation is to pay for or influence referrals," OIG says.
Donations That Would Be Allowed
Services that could be donated by a hospital to a physician under the proposed safe harbor include:
- Services associated with developing, installing and updating cybersecurity software;
- Cybersecurity training services, such as training recipients on how to use the cybersecurity technology; how to prevent, detect and respond to cyber threats; and how to troubleshoot problems with the cybersecurity technology, such as "help desk" services specific to cybersecurity;
- Cybersecurity services for business continuity and data recovery services to ensure the recipient's operations can continue during and after a cyberattack;
- Any kind of "cybersecurity-as-a-service" model that relies on a third-party service provider to manage, monitor or operate cybersecurity of a recipient;
- Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis or penetration test;
- Services associated with sharing information about known cyberthreats and assisting recipients responding to threats or attacks on their systems.
"We believe these types of services are indicative of the types of services that are necessary and used predominantly for effective cybersecurity," OIG writes.
HHS' proposed policy "is well-intentioned but premature," says independent HIPAA attorney Paul Hales.
"The Holy Grail of health information management is a secure way to make patient electronic health records available whenever and wherever the patient needs treatment," he says. "Progress has been slow in part because of our patchwork system of health information exchanges and incompatible EHR systems."
Protected health information is subject to exposure "by well-meaning staff confronted with technological and regulatory challenges," he adds. "The proposed policy would add complexity in offices already coping with EHR and HIE confusion. I think it would be better for HHS to concentrate on its interoperability initiative and address the function of state [health information exchanges]."
"It doesn't say good things about the state of healthcare cybersecurity in general if doctors need to rely on donations in order to protect patient information."
—Stephen Wu, Silicon Valley Law Group
Maintaining effective cybersecurity takes more than just software or service donations, attorney Wu notes.
"Cybersecurity requires constant training, access control management, firewalls, encryption and more. It's not just endpoint security. And software is only part of the equation."
Wu adds: "It doesn't say good things about the state of healthcare cybersecurity in general if doctors need to rely on donations in order to protect patient information."
Privacy attorney Kirk Nahra of the law firm WilmerHale notes that there has been "a lot of debate" about these cyber technology issues for many years. "It clearly is important to provide additional support to healthcare providers, particularly physicians or smaller enterprises, to enhance their security," he says.
"The trade-off has always been the same - would someone favor a company that is helping them with cybersecurity? Here, the government is saying we want to improve cybersecurity, and we think we can structure it in a way that avoids other kinds of risks - mainly related to fraud," Nahra says.
"It isn't easy, but these [proposed rules] seem to be a good approach and likely can create a cybersecurity win without any meaningful downside."
Some health IT industry groups are applauding the HHS cybersecurity safe harbor proposals.
"We have long championed the need for resources that offer both financial and nonfinancial ways for providers to shore up their systems and guard against growing threats," says Mari Savickis, vice president of federal affairs at the College of Healthcare Information Management Executives.
"Many small and lesser resourced providers need as much help as possible. Healthcare data fetches much more money on the black market than nonhealthcare data, making it a lucrative target. Helping providers fortify their systems and have access to better technology will indeed help."
Ultimately, cyberthreats are threats to patient safety, Savickis adds. "Anything that can be done to help protect against these very serious threats will be a step forward in helping better the patient safety climate. Since the threats are only growing, we must tackle this problem from a number of angles and HHS' proposal is an important tool for fighting off these attacks."
The proposed rules offer a number of other changes to the Stark law and federal anti-kickback regulations.
For instance, In an effort to coordinate care and better manage the care of their shared patients, a specialty physician practice could share with a primary care physician data analytics services or remote monitoring technology to alert physicians or caregivers when a discharged patient needs healthcare intervention to prevent unnecessary ER visits and readmissions.
HHS is accepting comments on its proposals for 75 days upon publication in the Federal Register, which is pending.