In an Oct. 31 letter to the Workplace of the Nationwide Cyber Director, the School of Healthcare Info Administration Executives (CHIME) and the Affiliation for Executives in Healthcare Info Safety (AEHIS) known as for higher coordination amongst Division of Well being & Human Providers businesses and really useful that the Facilities for Medicare & Medicaid Providers (CMS) develop a cybersecurity incentive program. 

CHIME and AEHIS have been responding to a request for info on “alternatives for and obstacles to harmonizing cybersecurity rules.”

Launched by CHIME in 2014, AEHIS represents greater than 950 healthcare safety leaders and supplies schooling and networking for senior IT safety leaders in healthcare.

Setting the stage for suggestions, the letter notes that the Healthcare and Public Well being (HPH) Sector has the unlucky distinction of being the sector with essentially the most knowledge breaches in line with quite a few research. “Healthcare knowledge and data stay profitable targets for theft and exploitation, notably by way of ransomware assaults,” they wrote. “Theft of information skyrocketed in the course of the previous few years as prison teams and adversarial nation states capitalized on the COVID-19 pandemic through the use of social engineering, the exact same strategies which have been efficiently used towards massive, publicly traded corporations with far higher assets than nearly all of America’s healthcare supply organizations (HDOs). Well being knowledge breaches reported to the Division of Well being and Human Providers’ (HHS) Workplace for Civil Rights (OCR) dramatically elevated in 2023, on tempo to double final yr’s whole, in line with a Politico evaluation of the most recent company knowledge.”

CHIME and AEHIS additionally level out the dire monetary scenario some supplier organizations are dealing with. “Many are being pressured to cut back their price range under benchmarks, and cybersecurity tasks will possible find yourself not surviving these cuts,” the letter states. “Whereas the variety of sufferers that our hospitals and healthcare programs take care of has remained regular, if not elevated, they’re now experiencing grievous monetary circumstances. With no answer, help, and modifications in coverage on the federal degree – we concern and imagine that there are numerous extra HDOs which might be susceptible to closure throughout the nation.”

Responding to questions on how cybersecurity is coordinated and controlled, the letter famous that there are a number of areas of HHS which might be liable for cybersecurity – together with interfacing with the non-public sector. “This has created fragmentation and coordination challenges each inside HHS in addition to outdoors of the Division.” 

The letter recommends that HHS ought to have interaction in additional schooling efforts, leverage CMS as an outreach channel to assist enhance publicity, and additional educate suppliers – particularly the small, rural, and under-resourced – with details about: 1) The 405(d) Program’s finest practices; 2) The instruments which might be already accessible for gratis from the federal authorities together with these from CISA on danger evaluation  and their cybersecurity hub; and three) NIST’s assets for small companies and their Nationwide Cybersecurity Heart of Excellence (NCCoE). 

CHIME and AEHIS level out that just about all suppliers invoice Medicare and that CMS has a protracted historical past of working the EHR Selling Interoperability (PI) Program (previously known as the Significant Use Program). “Due to this fact, we imagine CMS is uniquely suited to assist oversee a brand new cybersecurity incentive program. Nonetheless, not like the EHR PI Program, which started as an incentive program and graduated to a penalty construction, we imagine the cybersecurity wants in our sector are so dire and our sector’s monetary wants and workforce considerably depleted from preventing the COVID-19 pandemic, that there needs to be no draw back danger to participation.”

Calling themselves sturdy supporters of the Nationwide Institute of Requirements and Expertise (NIST) Cybersecurity Framework (CSF), CHIME and AEHIS say they perceive that NIST is trying to string the needle in as far as the CSF has been developed as a instrument for use by quite a lot of organizations, throughout totally different sectors with totally different wants.

“Whereas we recognize the steadiness NIST goals to strike, we imagine smaller, rural and under-resourced healthcare organizations will want extra prescriptive steps that they will take if we’re to allow them to enhance their cybersecurity posture,” they wrote.

“For instance, throughout the continuum of healthcare, one phase that continues to current a considerable quantity of danger for our members are smaller doctor practices. They’ve a excessive want for schooling and assets given their cybersecurity posture stays immature. Once more, we aren’t suggesting a lot that NIST modify the CSF to accommodate totally different sectors and to be clear, that might create an extra set of issues. A great start line for cybersecurity resource-challenged organizations is to coach them; for instance, directing them to the 405(d) Program’s HICP instrument, which is also a technique measurement might happen in our sector, and might help in addressing a few of these challenges. Lastly, we imagine the main target should shift away from the mindset of how one healthcare supplier stacks up towards one other supplier – and focus extra on the person supplier’s personal maturity journey.”