Should healthcare cybersecurity framework be one-size-fits-all?

If the Department of Health and Human Services wants to improve and support adoption of best practice security measures in healthcare, it should avoid an “all-or-nothing” approach to security implementations. Rather, HHS should better educate and provide recommendations on the importance of adopting industry standards.

Specifically, HHS should consider just how far along healthcare covered entities have implemented chosen security measures, rather than enacting strict requirements that may actually inhibit adoption, according to comments from several leading stakeholder groups.

The comments were sent to HHS in response to its request for information released in April, which asked for feedback on the current state of security practices used in healthcare, as outlined in HITECH and suggestions on how HHS Office for Civil Rights can better support entities with implementing industry-standard security measures.

HITECH was enacted in 2009 to promote the adoption of health IT and includes a host of privacy and security mechanisms for electronic data sharing as a means to bolster the Health Insurance Portability and Accountability Act.

However, HIPAA only contains 42 required controls, compared with hundreds of elements outlined in the NIST Cybersecurity Framework that are routinely updated to meet the current threat landscape.

The RFI received 87 public comments and more than 5,400 page views, highlighting the importance of the ongoing discussions. SC Media reviewed comments from the Medical Group Management Association (MGMA), American Health Information Management Association (AHIMA), and Association of American Medical Colleges (AAMC), finding several correlating themes.

Perhaps the most notable recommendation came from AHIMA, asking OCR to recognize the HHS Workgroup’s Health Industry Cyber Practices (HICP) voluntary guidance as the guide can be easily tailored to meet the specific needs of an organization based on size and provider type.

The collaborative effort behind the HICP created a host of best practice security measures readily able to strengthen the sector’s cybersecurity posture. The guide represents “a diverse range of inputs, demonstrative of industry best practices that fit the needs of all providers,” according to AHIMA’s letter.

Adopting the freely available HICP will ensure there’s no cost burden passed on to providers. To AHIMA, that will translate to greater adoption and participation in the program.

“The end goal of this program is to make healthcare safer by incentivizing providers to adopt security best practices,” AHIMA leaders wrote. “The adoption and recognition of the 405(d) HICP accomplishes both goals.”

If OCR is considering recognizing or recommending the use of multiple best practice frameworks, AHIMA recommended the push for either the NIST CF or HITRUST Certification, a “robust certification, quality assurance and recertification process ensuring organizations … are actively engaged in securing their networks.”

AAMC also recommended the use of NIST or HITRUST, as well as the measures employed by the Cybersecurity and Infrastructure Security Agency. But for AAMC, the concern is that OCR may inadvertently overstep HITECH’s statutes and burden providers using other standards or frameworks, or a combination of measures for various parts of their operations.

HITECH “makes clear that the specific practices adopted ‘shall be determined’ by regulated entities, with the only condition being that the practices are consistent with the HIPAA Security Rule,” according to the AAMC letter. The terms have been carefully calibrated to remain broad, “while providing sufficient clarity for regulated entities to understand the parameters of the term.” 

MGMA shared similar thoughts, asking HHS to continue recognizing the broad statutory definition of recognized security practice, which will ensure providers can choose their own recognized framework, “as there are vast differences in the technical and financial capabilities between medical groups of all sizes.”

“Medical groups should be allowed to continue using their professional judgment as to what is best for their practice and the unique situations they face,” according to the MGMA letter. “For many groups, the most financially viable or available option would be to bundle cybersecurity and cyber insurance with the PMSs or EHRs they already utilize.”

Groups say good-faith efforts should be considered

In short, the OCR’s goal should be to ensure the adoption of some industry framework, rather than to require a specific mechanism: take action while educating providers. As MGMA noted, an HHS mandate may not account for a range of scenarios, such as programs already included in practice management systems (PMS) or EHRs.

MGMA also stressed the need for education and sample frameworks or checklists to support provider organizations with real world approaches to “implement acknowledged cybersecurity policies.”

Further, OCR should ensure its regulations harmonize with other HHS programs to prevent information blocking.

AHIMA added that the agency should instead “conduct a landscape review” of current state laws, which currently exceed the minimum requirements outlined in HIPAA to “limit the compliance burden placed on small, covered entity providers.” OCR can also use the state law requirements to increase provider participation in its cybersecurity best practice program.

“If HHS moves forward with a regulatory proposal, the agency should take into consideration good faith efforts made by medical groups to demonstrate that security practices were in place for the previous 12 months should it intend to levy civil monetary penalties or monetary settlements on regulated entities,” MGMA concluded.

Lastly, AHIMA stressed that “if HHS moves forward with a regulatory proposal, [it] should take into consideration good faith efforts made by medical groups to demonstrate that security practices were in place for the previous 12 months should it intend to levy civil monetary penalties or monetary settlements on regulated entities.”

Overall, it appears that many of the stakeholder groups are actively advocating for further guidance and education for providers that need it the most, while ensuring the agency doesn’t inadvertently burden those same groups currently working toward improving their cyber posture.