The Electronic Data Interchange Working Group is asking the U.S. Department of Health and Human Services to do more to help health systems, health plans and other health care organizations manage the consequences increasingly serious consequences from cyber attacks.
WHY IS IT IMPORTANT?
In a May 16 letter to HHS Secretary Xavier Becerra, WEDI offers recommendations that the department — and other federal agencies — can take to help mitigate the consequences of cyberattacks and help provider organizations maintain the ability to securely share data and deliver care.
WEDI has identified several steps HHS can take to help reduce the negative impact of ransomware attacks and other debilitating data breaches. Among them:
-
More audits and education. WEDI is calling on the HHS Office for Civil Rights to conduct “comprehensive, proactive selective audits of the health care sector.” With them, OCR can discover best practices that can help shape guidance to address compliance challenges and be used for educational campaigns to manage cyber risk for regulated entities. insurance.
-
A voluntary security screening program. WEDI said OCR should “establish a program that allows covered entities to voluntarily undergo security vetting.” “Those who submit policies and procedures for voluntary review will not be subject to enforcement action if any deficiencies are found during the audit. Instead, the organization must be given sufficient time to correct them.” fix all problems.”
-
Recognize. According to WEDI, HHS should consider developing minimum standards for third-party certification/certification organizations, noting that a set of mandatory baseline standards for security and privacy can help ensure that organizations will be in the best position to avoid a cyber attack or at least minimize the effects of one.
-
Other actions. According to WEDI, the aftermath of Change Healthcare has demonstrated the importance of HHS preparing and taking actions that can immediately support data exchange between providers and health plans, according to WEDI. include:
- Accelerate the registration of new electronic data exchanges.
- Accept written claims.
- Reduce or eliminate selective prior authorization requirements.
- Provide advance funding.
- Delay or waive data reporting requirements.
- Issue post-attack communications instructions to trading partners.
- Explore opportunities to increase cybersecurity funding.
WEDI also called for annual preparedness drills nationwide, saying HHS should designate one week each year as “National Healthcare Cyber Fire Drill Week,” in which unions will lead the healthcare industry in promoting cyber awareness and action.
Notably, WEDI is also calling on the federal government to create a new agency, the Office of National Cyber Policy – led by a new “Cyber Policy Czar” – to help coordinate and spearhead online reaction.
According to WEDI, “The proposed ONCP would not replace any existing agency or usurp the jurisdiction or functions of any other agency but instead promote a centralized incident reporting process cyber, coordinate harmonization efforts among federal agencies, educate stakeholders (focused on under-resourced organizations), direct funding for cyber preparedness for stakeholders , develop and implement national contingency plans, and serve as the focal point for industry recovery following a major cyber incident.”
BIGGER TREND
It’s been a particularly difficult few months for cybersecurity, as major healthcare organizations from Kaiser Permanente to Ascension Health experienced high-profile attacks that compromised the data of millions of people and photos. impacting the delivery of care to thousands of patients.
Of course, the fallout from Change Healthcare’s attack last February caused enormous disruption, hindering data sharing between providers and payers, making the financial situation of some number of risky activities.
HHS has sought to inform providers about cybersecurity preparations, but groups such as the American Hospital Association have rejected the proposed requirements. Instead of being punished, organizations like WEDI are asking the agency to become a partner in helping healthcare organizations protect themselves and their patients against growing cyber risks.
ON PROFILE
“The recent cyberattacks, while unprecedented, are just the latest example of what has become all too common in the healthcare industry,” said Charles Stellar, WEDI President and CEO. ”. “When administrative transactions such as prescriptions, claims, and treatment authorizations cannot be performed, provider operations and even patient care can be impacted.
“No healthcare organization is immune to the threat of cyberattacks, and combating these threats will require a collaborative effort between the public and private sectors,” Stellar added. “Maintaining operational continuity and protecting care delivery must be a government’s top priority if a critical healthcare organization is the victim of a cyber incident,” Stellar said. .
Mike Miliard is the executive editor of Healthcare IT News
Email the writer: [email protected]
Healthcare IT News is a HIMSS publication.
