Photo: Weiquan Lin/Getty Images
The Workgroup for Electronic Data Interchange is asking the U.S. Department of Health and Human Services to do more to help health systems, health plans and other healthcare organizations manage the increasingly disruptive fallout from cyberattacks.
WHY IT MATTERS
In a May 16 letter sent to HHS Secretary Xavier Becerra, WEDI offers recommendations that the department – and other federal agencies – could take to help mitigate the consequences of cyberattacks and help provider organizations maintain their ability to share data and deliver care safely.
WEDI identified several steps HHS could take to help blunt the negative impacts of ransomware attacks and other debilitating data breaches. Among them:
More audits and education. WEDI is calling on the HHS Office for Civil Rights to conduct "proactive, comprehensive select audits of the healthcare sector." With them, OCR can spot best practices that can help shape guidance to address compliance challenges, and be used for educational campaigns to covered entities manage cyber risk.
A voluntary security audit program. OCR should "establish a program that would permit covered entities to voluntarily undergo a security audit," WEDI said. "Those submitting their policies and procedures for voluntary review should not be subject to enforcement action should any deficiencies be identified during the audit. Rather, the organization should be given sufficient time to correct any issues."
Accreditation. HHS should consider developing minimum standards for third-party accreditation/certification entities, according to WEDI, which notes that a mandated baseline set of security and privacy standards could help ensure that organizations would be best positioned to avoid a cyberattack or, at least, mitigate the effects of one.
Other actions. The Change Healthcare fallout has shown the importance of HHS being prepared and having in place actions that can immediately assist data exchange processes between providers and health plans, according to WEDI, including:
- Expediting new electronic data interchange enrollment.
- Accepting paper claims.
- Relaxing or eliminating select prior authorization requirements.
- Providing advance funding.
- Delaying or waiving data reporting requirements.
- Issuing trading partner post-attack communication guidance.
- Exploring opportunities to increase cybersecurity funding.
WEDI also called for annual nationwide preparedness drills, saying HHS should designate a week each year as "National HealthCare Cyber Fire Drill Week," where the feds would lead the healthcare industry in promoting cyber awareness and action.
Notably, WEDI is also calling on the federal government to create a new agency, the Office of National Cybersecurity Policy – to be led by a new "Cyber Policy Czar" – to help coordinate and spearhead cyber response.
"The recommended ONCP would not replace any existing agency or usurp any other agency's jurisdiction or function," according to WEDI, "but rather drive a centralized process of cyber incident reporting, coordinating harmonization efforts across federal agencies stakeholder education (with a focus on under resourced organizations), steer funding for stakeholder cyber preparedness, develop and deploy national contingency planning, and serve as the point agency for industry recovery following a major cyber incident."
THE LARGER TREND
It's been an especially challenging few months for cybersecurity, with major healthcare organizations from Kaiser Permanente to Ascension Health reporting breaches that may have compromised the data of millions and experiencing cyberattacks that impacted care delivery for thousands of patients.
And reverberations from the Change Healthcare attack this past February, of course, have been hugely disruptive, stymieing data sharing between providers and payers, putting the financial health of some practices at risk.
HHS has sought to put providers on notice about cybersecurity preparedness, but groups such as the American Hospital Association have pushed back on proposed requirements. Instead of penalties, organizations like WEDI are asking the agency to be a partner in helping healthcare organizations protect themselves and their patients against an increasingly intensifying cyber risk.
ON THE RECORD
"Recent cyberattacks, while unprecedented, are just the latest example of what has become unfortunately all too commonplace in the healthcare industry," stated Charles Stellar, WEDI president and CEO in a statement. "When administrative transactions such as medication prescriptions, claims, and treatment authorizations cannot be conducted, provider operations and even patient care can be impacted.
"No healthcare organization is immune to the threat of cyberattack and countering these threats will require a collaborative effort between the private and private sectors," Stellar added. "Maintaining operational continuity and safeguarding the care delivery process must be a top priority of the government should a critical healthcare organization be the victim of a cyber incident," stated Stellar.
Comments
Post a Comment