As National Cyber Security Awareness Month (NCSAM) passes its halfway point this October, it is important to note that the healthcare sector – both industry and government – is stepping up to address accelerating cybersecurity threats affecting healthcare operations, data, and patient safety. In the late summer of 2018, the HHS Office of the National Coordinator (ONC), which works to ensure the healthcare industry’s compliance with security and privacy regulations of the Health Insurance Portability and Accountability Act, asked the industry a number of questions – through a request for information – directed at how to better ensure that electronic health records technology is secure in both design and management.
On October 17, the Health Sector Coordinating Council sent a response to ONC with recommendations that address those RFI questions:
- What reporting criteria could provide information on meaningful differences between products in the ease and effectiveness that they enable end users to meet their security and privacy needs?
- Describe other useful security and privacy features or functions that a certified health IT product may offer beyond those required by HIPAA and the ONC Health IT Certification Program, such as functions related to requirements under 42 CFR Part 2.
- Discuss the merits and risks of seeking a common set of measures for the purpose of real world testing that health IT developers could use to compare the usability of systems
- What information about a certified health IT product’s security and privacy capabilities and performance have acquisition decision makers used to inform decisions about acquisitions, upgrades, or use to best support end users’ needs?
- What, if any, types of information reported by providers as part of their participation in HHS programs would be useful for the EHR Reporting Program (e.g., to inform health IT acquisition, upgrade, or customization decisions)?
The HSCC CWG answers include:
- In order for purchasers to be better informed of the vendor’s security posture, they need to consider technical and policy aspects of the devices and systems ranging from readily available results of penetration testing, encrypted database features, software security analysis, to Payment Card Industry (PCI) Data Security Standard compliance, patient consent opt-in agreements, privacy policies and terms of conditions for portals.
- Automated features associated with patient privacy would be very helpful and desirable for providers; including vendor ability to track amendments to patient EHR, automating patient record sharing and disclosure preferences, and enabling patients to file complaints via portals.
- Adopting the NIST Cybersecurity Framework and encouraging the use of the OSI Reference Model or the “Open Systems Interconnection Reference Model,” can help accomplish better security.
- More information about third parties used by EHR vendors would be helpful such as the location of contracted third parties (domestic or abroad) and supporting documentation to enable purchasers to conduct better risk assessments.
- Vendors sell upgrades in a variety of ways and there is no standard way of reporting security issues. Consideration should be given to having a more uniform way to do this.
The bottom line is that the healthcare sector is working to get ahead of the threats facing the sector and its patient population. We’re doing this as a partnership – with government and across critical healthcare subsectors like direct patient care, health IT, medical devices, pharmaceuticals, and health plans and insurance. This isn’t just an IT security problem or a regulatory compliance problem, but one that needs the attention of health providers, chief medical officers, CIO’s, general counsels, and the C-suite in general. In this way, we can collaboratively diagnose our cyber health, prescribe a regimen of treatment and move us closer to inoculation against an epidemic of cyber vulnerability.