Cybersecurity task force seeks new security framework, exemption to the Stark law

In a draft of a cybersecurity report to be released later this month, the Health Care Industry Cybersecurity Task Force called on the government to create new policies that would help healthcare organizations strengthen their cybersecurity.

While some of the details of the report's six "imperatives" were vague—a call for more awareness, for instance—others were directed at specific standards and laws that might have more apparent effects across the industry. These include a new cybersecurity framework specific to healthcare and amendments to the Physician Self-Referral Law (Stark Law) and the Anti-Kickback Statute to allow healthcare organizations to assist physicians with cybersecurity. These, along with other imperatives set out in the report, would "help to increase awareness, manage threats, reduce risks and vulnerabilities, and implement protections not currently present across a majority of the health care industry."

That's especially necessary given the push of late of providers to share more information, said Mari Savickis, vice president of federal affairs at the College of Healthcare Information Management Executives. "As providers have been pushed to share more information more quickly, that increases the threat landscape for providers and for patients," she said.

Steve Bunnell, a partner at O'Melveny and former general counsel of the U.S. Department of Homeland Security, agreed, and said that it's hard to have a nimble information-sharing healthcare system without increasing cybersecurity risks. "To a certain extent, we're trying to have our cake and eat it too," he said.

One way to help keep the industry secure is through security frameworks. Along with the National Institute of Standards and Technology Cybersecurity Framework, which is already broadly used by providers—75% of respondents to a recent KLAS-CHIME study said they follow the NIST guidelines—the industry would benefit from a complementary framework of its own, the task force said, arguing that healthcare is a unique industry with varying resource capabilities, legacy systems that will be used for years to come, and the need to share data for patient-centered care.

"The NIST framework is so broad and used across all sectors," said Leslie Krigstein, vice president of congressional affairs at CHIME, "so something that is healthcare-specific would be a welcome addition to our resource kit."

The new framework, which would be created by the Department of Health and Human Services, would build on the NIST framework and the HIPAA security rule to give healthcare its own lexicon, standards, guidelines, and best practices. "We all know that the HIPAA security rule is not, nor was it envisioned to be, adequate to address information technology security requirements of the total enterprise," said Mac McMillan, president and chief strategy officer of CynergisTek. "It's past time for healthcare to adopt a more appropriate framework for security."

The framework would also be helpful for making cybersecurity more tangible, Krigstein said. "This would be very valuable in the sense that you could have something to measure against."

The recommendation for a healthcare-specific cybersecurity framework came under the broader recommendation to set out clearer leadership, governance, and expectations for cybersecurity in the healthcare industry. Under that heading, the report's authors also called for a cybersecurity leader role in HHS, a person who would create goals and priorities for the industry and participate in international policymaking, and other responsibilities.

The task force also called for changes to the Stark law and Anti-Kickback Statute. Because cybersecurity is so dependent on all the players in the networked industry, even organizations that put strong cybersecurity policies and software in place are vulnerable due to connections with less-secure providers. Therefore, the task force asked Congress to amend the Stark law and Anti-Kickback Statute to allow healthcare organizations to help physicians implement cybersecurity software, much as they have with electronic health records.

The intention may be strong, but the effects could be weaker, Bunnell said. "I have not heard that specific excuse as a reason companies don't share," he said. "But any change that does happen because of that change [to the laws] will be positive."

The task force—mandated by the Cybersecurity Act of 2015—is officially sending its report, dated May 15, 2017, to the chairmen of the House and Senate committees on Homeland Security and intelligence; the Senate Health, Education, Labor, and Pensions Committee; and the House Committee on Energy and Commerce. It will be up to Congress, the CMS, the Office of the National Coordinator for Health Information Technology, HHS, FDA, and other groups to act on the recommendations.

It's important that law- and policymakers act quickly, Bunnell said. "The threat environment evolves more quickly than the policy and legal responses do. My concern is that people don't actually do anything and just continue talking about the issue. There really is urgency," he said.