Decrying cybersecurity’s status in healthcare as a second tier issue, a U.S. senator is suggesting that medical practices participating in Medicare come under a mandate to apply minimum security practices as standard operating procedure.
Such a mandate would have a far-reaching effect on the medical industry given Medicare’s sizable share of healthcare spending in the United States – about 20 percent, according to government estimates.
The suggestion – it stops short of a fully endorsed proposal – comes in a report issued by Sen. Mark Warner, a Virginia Democrat active in tech policy. “The transition to better cybersecurity has been painfully slow and inadequate,” he said in a statement.
Medicare already imposes standards onto participating practices such as measure to prevent the spread of hospital-acquired infections or have emergency power sources.
“Many stakeholders believe cybersecurity is as important as those two examples, and that some minimum level of cybersecurity hygiene practices should be included in these regulations,” the report says.
Medicare, in turn, likely ought to determine how to incorporate cybersecurity costs into payment formulas, the report adds.
Warner’s office is seeking comment by Dec. 1 on the report’s proposed policy options with the goal of introducing legislation in the next two years.
Additional Policy Proposals
Modifying Medicare’s conditions of participation and payment formula are only two of dozens of proposals contained in the report. They include:
- Cybersecurity Framework: Developing a “consensus-based healthcare specific cybersecurity framework,” could take the form of a “framework profile,” such as those developed by the National Institute for Standards and Technology for manufacturing and election infrastructure – or potentially a new subsection of NIST’s current cybersecurity framework focused on healthcare.
- Modernizing HIPAA: Updating HIPAA regulations to address a broader scope of cybersecurity threats rather than the current focus on regulated entities’ responsibility to safeguard patients’ protected health information.
- Stark Law and Anti-Kickback Statute: Clarifying through legislation the Stark Law and Anti-Kickback Statute so that healthcare sector entities stakeholders know they are not prevented from working together on cybersecurity improvements.
- Cybersecurity talent: Congress establishing a workforce development program that focuses on healthcare cybersecurity.
- Student Loans: Offering loan forgiveness as an incentive to get cybersecurity professionals to spend several years serving in a rural community, similar to to the National Health Service Corps Loan Repayment Program.
- Medical Devices: Create incentives for healthcare organizations invest in systems to better track their medical equipment inventory or to replace their legacy equipment with newer devices; restrict sales of medical devices with outdated software; requiring software bills of materials for all software and devices used by the healthcare industry; the Food and Drug Administration requiring medical devices have a failsafe mode in the event of connectivity failure or other security incidents.
- Information Sharing: Congress should consider creating “narrowly-defined” safe harbor for healthcare entities that share threat information. Many organizations are reluctant to share information for fear of repercussions, a situation that prevents real-time mitigation across the industry, the report says.
- Cyberattack Recovery: HHS could direct healthcare facilities to consider cyberattacks in the same category as the other hazards, such as hurricanes and earthquakes, for emergency preparedness procedures; requiring that all healthcare staff are trained to use alternate or legacy systems in the event of catastrophic failure to connected systems; establishing a disaster relief program for victims of cyberattacks.
- National Stockpile: Augmenting the national stockpile with common equipment needed by hospitals facing cyberattacks, including analog equivalent medical devices, laptops, walkie-talkies, and other mobile devices.
- Cyber Insurance: Creating a federal reinsurance program that covers plans that require minimum cyber hygiene; standardizing coverage elements and incentives for insurance companies to adopt them; creating a cyber insurance program similar to the Terrorism Risk Insurance Act to create a transparent system for certain insured losses resulting from nation-state cyberattacks; mandating reporting of cyber insurance payouts.
Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council, a public-private group that advises HHS on cybersecurity issues, says Warner’s staff briefed council members of the proposals.
Warner “is right that cybersecurity is patient safety,” Garcia says.
Denise Anderson, president and CEO of the Health-Information Sharing and Analysis Center, says new healthcare cybersecurity policy should take into account small- and medium-sized businesses.*
“Financial incentives, training and favorable regulatory relief to share threats, vulnerabilities and incidents – especially in automated ways – will go a long way to help protect all organizations,” she says.
“The most effective new laws and regulations will be those that promote cooperation and disclosure, rather than imposing penalties,” says regulatory attorney Erik Weinick of law firm Otterbourgh P.C.*
*Update Nov. 3, 2022 19:39 UTC: Adds comments from Denise Anderson and Erik Weinick.