How Could Congress Help Bolster Healthcare Cybersecurity?CHIME Executive Explains Proposal for Financial Incentives
In light of increasing cyber threats against the healthcare sector, Congress should create financial incentives for healthcare providers to boost their cybersecurity, says Leslie Krigstein, vice president of congressional affairs at the College of Healthcare Information Management Executives.
CHIME, an association of 1,900 healthcare CIOs and CISOs, and its subgroup, the Association for Executives in Healthcare Information Security, made the recommendation in a statement submitted to the Senate Judiciary Committee's Subcommittee on Crime and Terrorism for a recent hearing on ransomware threats.
CHIME called on Congress to examine ways to encourage investments in cybersecurity through financial incentives for healthcare providers who demonstrate "a minimum level" of cyberattack readiness and mature information risk management programs, Krigstein explains in an in-depth interview with Information Security Media Group.
One potential incentive, she says, would be to add a factor for "exceptional security practices or protocols" to the formula used to determine Medicare payments.
Another form of incentive would be to lower or eliminate financial penalties imposed in settlement agreements after data breach investigations by the Department of Health and Human Services' Office for Civil Rights for those organizations that demonstrate a defined level of cybersecurity.
CHIME also repeated its call for Congress to lift its ban on HHS funding the development of a unique patient identifier. The lack of a national patient identification system makes it increasingly difficult for healthcare providers to accurately match the right digital records from multiple sources to the right patient, creating growing patient safety and new privacy concerns, especially as more electronic health information is exchanged.
Other industry groups, including the American Health Information Management Association, have also been calling upon Congress to address these growing concerns (see Making a Case for a National Patient Identifer).
"I think the ball is rolling," Krigstein says. "It may not be rolling as quickly as it needs to, but there needs to be some recognition in the progress that's been made, and hopefully the final result is on the horizon."
The debate over a patient identifier has evolved as new technical options, such as biometrics or geolocation systems, have emerged, she points out. As viable technical options are identified, she says, "we'll start to dissuade those fears of using a single numeric or alphanumeric identifier. Congress is also intrigued with the notion of a solution that's maybe administered in the private sector, rather than held by the government. That might lessen fears of big government having all of this data at its fingertips, which has been a huge concern in the privacy community over the history of this issue."
In the interview (see audio player below photo), Krigstein also discusses:
- Ways that Congress should consider reducing the complexity of healthcare privacy, security and risk management regulations;
- Recommendations for addressing the cybersecurity skills shortage in the healthcare sector;
- The surge in ransomware against hospitals.
As vice president of congressional affairs at CHIME, Krigstein oversees the association's congressional advocacy and federal agency engagement efforts, which are focused on the effective use of information management within healthcare. Before joining CHIME, Krigstein was a member of the congressional affairs team at the Healthcare Information and Management Systems Society.