CHIME to Congress: HIPAA isn't enough to ensure cybersecurity

In a March 1 letter to Congress about the relationship between technology and healthcare costs, the College of Healthcare Information Management Executives called on Congress to address growing cybersecurity threats to patient data.

As healthcare becomes more digital, cybersecurity is increasingly important. A single strand of ransomware can have a major effect across the industry at large. For example, the 2017 "Petya" and "Wannacry" ransomware attacks affected over a dozen hospitals and other organizations in 150 countries.

"Healthcare is deemed a critical infrastructure by the Department of Homeland Security, and as such, patient safety and patient data should be viewed as a public good; protecting those things should be a national priority," CHIME wrote. The letter notes that providers spend significant resources on compliance with HHS' complex privacy and security regulations, which can mean few resources are left to address actual threats.

Five recommendations from CHIME's letter, under the heading "HIPAA compliance doesn't equal good cybersecurity":

1. Instead of focusing on cyberthreats out of the provider's control, HHS should provide guidance on cyberthreats within the provider's domain.

2. Congress and HHS should identify measures to ensure providers don't have to maintain full responsibility for protecting PHI beyond their control.

3. The Office for Civil Rights should reward providers for actions they take to protect data and prevent cyberattacks, and it should take these efforts into account when determining enforcement actions after a breach.

4. Congress should alter definitions listed for words like "breach," which are listed in the Health Information for Economic and Clinical Health Act, CHIME wrote. The organization believes the current definition presumes the provider is at fault.

5. Congress should foster open communication and interoperability among states to facilitate secure data sharing between providers in different locations. To do this, Congress will need to consider, and potentially alter, previous HIPAA provisions.

To view the full letter, click here.

More articles on cybersecurity:
Alphabet unveils 1st security data platform: 3 things to know  
13 healthcare privacy incidents in February
Montana hospital reports medical records room break-in

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months