For most people, summer in Washington, D.C. conjures up thoughts of Smithsonian museums, taking in a Nationals game, or viewing the Washington Monument and the Lincoln Memorial. For DirectTrust President and CEO Scott Stuewe and Commission Executive Director Lee Barrett, summer in D.C. means visiting with Capitol Hill staffers regarding issues that are critically important to healthcare organizations.
Specifically, Scott and Lee stress the need for a true “safe harbor” for health care entities who follow best practice security guidelines but still experience a cyberattack. Their meetings included multiple policy staffers from various Senate and House committees interested in healthcare and cybersecurity.
Technology and cybersecurity continue to be a hot topic related to healthcare. For instance, Senator Mark Warner (D, Va.) has been in the news related to chairing the Senate Select Committee on Intelligence, which regularly deals with cyber issues and released a white paper on healthcare cybersecurity late last year that sought industry feedback on this critical issue. The Electronic Healthcare Network Accreditation Commission (EHNAC), which merged with DirectTrust in January, contributed comments to Warner’s white paper.
Breaking the Cycle of Cyberattacks
For healthcare organizations, it’s not a matter of whether an organization experiences a cyberattack, it’s a matter of when. We know all too well the grim statistics:
- Among industries, U.S. healthcare organizations have experienced the most cyber events for a dozen consecutive years;
- Healthcare spends nearly double the next industry to remediate cyberattacks, an average of more than $10 million per attack;
- More than 51 million patient records were breached in 2022, according to the Office of Civil Rights.
A true Safe Harbor would protect organizations when they experience an attack by shielding them from additional scrutiny, risks, and fines/penalties. A Safe Harbor wouldn’t be a “get-out-of-jail-free card”, but it would recognize that the organization had taken the necessary preparatory steps to protect privileged health information, according to federal guidelines that currently don’t exist.
Enacted in early 2021, Public Law 116-321 amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that requires the Department of Health and Human Services “to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.” However, this action stops well short of the Safe Harbor that healthcare organizations need for taking the necessary security steps to protect themselves and their patients. In addition, the regulations don’t include a reporting requirement that would help track the effectiveness of the program.
DirectTrust believes that requiring a third-party accreditation or certification program incorporating standards recognized by the National Institute of Standards and Technology (NIST), coupled with true Safe Harbor language in applicable federal law, can greatly increase the security posture of the nation’s healthcare providers. The cost for any certification program would be offset by the increased security posture and better rates for cybersecurity insurance, which has been getting more expensive while coverage amounts keep falling — if cyber insurance is even available. Such efforts provide a much-needed guardrail against cyberattacks, reducing their incidence and lessening the impact should an attack occur.
Greater Interest in Protecting Data Seen
Sentiments on Capitol Hill appear to be moving toward action on this critically important issue, and Scott and Lee were happy to share their real-world experience with staffers. Significant bipartisan effort is focused on cybersecurity and the impact of artificial intelligence (AI) on healthcare. Currently, 12 states have enacted state-specific privacy legislation, much of it based on the California Consumer Protection Act. The California legislation is modeled after the General Data Protection Regulation (GDPR) used in European Union countries. Even these protocols may fail to protect health data that is not specifically governed by HIPAA, mainly through the proliferation of health apps that collect, use, and disseminate patient information but aren’t covered under HIPAA.
For regional or national healthcare organizations, this hodge-podge of privacy regulations creates a compliance nightmare that could allow cyberattacks to proliferate. A uniform federal set of security protocols could not only set a minimum standard based on best practices, it also could include a Safe Harbor provision to protect organizations that meet the standards but have a cyber incident occur nonetheless. Self-assessment or self-attestation is not sufficiently rigorous to protect data, which is where third-party assessment makes sense.
A Safe Harbor that includes a third-party assessment would ensure that organizations have:
- Created an acceptable contingency plan based on federal standards;
- Put the plan into practice for at least one year;
- Demonstrated compliance with applicable laws and regulations.
DirectTrust at the Forefront of Keeping Data Safe
While regulations are enacted at the agency level, lawmakers shape those regulations, deciding what is included and what is eliminated from any proposed law. That’s why visits to Capitol Hill are important to provide lawmakers with “in-the-trenches” insights that can help craft legislation that benefits both providers and patients.
EHNAC was born out of necessity during the HIPAA era to help keep patient data safety at every point along the care continuum. DirectTrust came into being during the HITECH era, advancing secure communications through collaboration and a standards-based trust framework.
Together, we’ve been on the forefront of cybersecurity and data sharing for 30 years, actively engaged in such efforts as 405(d), HL7 FHIR, interoperability, and many others.
We came away from these meetings heartened that lawmakers are taking cybersecurity seriously and truly want to help our industry and the patients we serve. We will continue to monitor federal lawmaking efforts, especially in relation to security and privacy of patient data in an increasingly interoperable environment. Additionally, we will continue to promote commonsense ideas that bring minimum data security standards verified by independent auditors/assessors to keep patient data flowing in a safe manner.