The Workgroup for Electronic Data Interchange is calling on the U.S. Department of Health and Human Services to do more to help health care systems, health plans, and other health care organizations manage the increasingly disruptive impact of cyberattacks.
WHY IT MATTERS
In a Letter dated May 16 WEDI, sent to HHS Secretary Xavier Becerra, provides recommendations that the department – and other federal agencies – can take to help mitigate the impact of cyberattacks and help providers maintain their ability to share data and deliver care securely. grant.
WEDI has identified several steps that HHS could take to help mitigate the negative impact of ransomware attacks and other debilitating data breaches. Amongst them:
-
More audits and education. WEDI calls on the HHS Office for Civil Rights to conduct “proactive, comprehensive selective audits of the health care industry.” This allows OCR to discover best practices that can help shape guidance to address compliance challenges, and can be used for educational campaigns to help covered entities manage cyber risk.
-
A voluntary security audit program. OCR should “establish a program that allows covered entities to voluntarily undergo a security audit,” WEDI said. “Those who submit their policies and procedures for voluntary review should not be subject to enforcement action if deficiencies are identified during the audit. Instead, the organization should be given sufficient time to correct any issues.”
-
Accreditation. HHS should consider developing minimum standards for third-party accreditation/certification agencies, WEDI said, noting that a mandatory core set of security and privacy standards could ensure organizations are best positioned to prevent or respond to a cyberattack. least restrictive. the consequences of one.
-
Other actions. According to WEDI, the impacts of Change Healthcare have demonstrated the importance of HHS being prepared and taking actions that can immediately support data sharing processes between providers and health plans, including:
- Accelerated registration for new electronic data interchange.
- Accept paper claims.
- Relaxing or eliminating certain prior authorization requirements.
- Providing pre-financing.
- Delaying or waiving data reporting requirements.
- Providing communication guidelines for trading partners after the attack.
- Research into options to increase cybersecurity financing.
WEDI also called for annual nationwide preparedness exercises and said HHS should designate a week each year as “National HealthCare Cyber Fire Drill Week,” during which the FBI would lead the healthcare industry in promoting cyber awareness and action.
WEDI also specifically calls on the federal government to create a new agency, the Office of National Cybersecurity Policy – led by a new “Cyber Policy Czar” – to help coordinate and lead the cyber response.
“The recommended ONCP would not replace any existing agency or assume the jurisdiction or function of another agency,” WEDI said, “but rather direct a centralized cyber incident reporting process, enhancing harmonization efforts among federal agencies and educating stakeholders coordinated (with a focus on resourced organizations, among others), directing funding for stakeholder cyber preparedness, developing and deploying national contingency plans, and serving as a point of contact for industry recovery following a major cyber incident.”
THE BIG TREND
It’s been a particularly challenging few months for cybersecurity, with major healthcare organizations from Kaiser Permanente to Ascension Health experiencing significant attacks that compromised the data of millions and impacted the delivery of care to thousands of patients.
And of course, the fallout from last February’s Change Healthcare attack was hugely disruptive, hampering data sharing between providers and payers, putting the financial health of some practices at risk.
HHS has tried to notify providers of cybersecurity preparedness, but groups such as the American Hospital Association have pushed back on the proposed requirements. Instead of punishment, organizations like WEDI are asking the agency to be a partner in helping healthcare organizations protect themselves and their patients from ever-increasing cyber risk.
ON THE RECORD
“Recent cyberattacks, while unprecedented, are just the latest example of what has unfortunately become all too common in healthcare,” Charles Stellar, president and CEO of WEDI, said in a statement. “If administrative transactions such as medication prescriptions, claims and treatment authorizations cannot be completed, this can impact supplier operations and even patient care.
“No healthcare organization is immune to the threat of cyber attacks and countering these threats will require a collaborative effort between the private and private sector,” Stellar added. “Maintaining operational continuity and securing the healthcare process must be a top government priority should a critical healthcare organization fall victim to a cyber incident,” Stellar said.
Mike Miliard is editor-in-chief of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.