CMS to seek health industry accountability for data breaches

The Centers for Medicare and Medicaid Services has developed a five-pronged plan geared toward reducing data breaches and ensuring accountability among healthcare organizations.

The strategy, which will expand on policies CMS Principal Deputy Administrator Jonathan Blum shared Sept. 12 at Modern Healthcare's Leadership Symposium, will be introduced and implemented in the coming months, according to federal agency leaders.

Related: CMS teases new cybersecurity policies for third-party vendors

“Cybercriminals keep getting more sophisticated and they keep changing their tactics, and that's where we need to be nimble and flexible and continue to provide guidance to the sector,” said Andrea Palm, deputy secretary of the Health and Human Services Department.

“We have a sector that is not meeting the basics [of cybersecurity] right now," Palm continued. Meeting the basics is "an important first step that the sector needs to take seriously, and they need to do their part," she said.

As one part of the plan, CMS will issue regulations requiring hospitals to build basic systems and adopt processes that reduce the probability they will be victimized by a cybersecurity breach. Blum said the draft regulations will come out this fall.

Additionally, when a hospital asks for payment flexibilities such as accelerated Medicare reimbursement as a result of a cybersecurity breach, the agency will ensure the provider has taken every step possible to protect its data before agreeing to those flexibilities, Blum said. The scrutiny will include examining if a hospital has complied with voluntary Cybersecurity Performance Goals HHS issued in January.

The federal government offered such flexibilities in March after the Change Healthcare cyberattack, which led to claims processing problems around the country, among other disruptions. CMS stopped accepting new applications for accelerated or advance payments in July.

“CMS will always be available to help and provide assistance, but we think that assistance requires more accountability, and that's the goal that we have going forward,” Blum said.

CMS also plans to issue tighter restrictions for healthcare clearinghouses that transmit Medicare claims-related data; work with the health insurance industry to promote cybersecurity resilience as more Medicare beneficiaries receive private managed care; and institute stronger cybersecurity requirements for federally certified clinical laboratories.

The agency aims to work with industry representatives, including hospitals, as it rolls out the strategy, Blum said. Hospital groups have previously emphasized the need for federal cybersecurity policies to be applied across the entire healthcare sector, not just providers, and with financial incentives rather than penalties.

“One of the goals that we have is to not only demand more accountability [from] those that CMS regulates directly, but also [from] the vendor communities that the health systems and providers are dependent on,” Blum said.