[BreachExchange] Why Cybersecurity Is Critical to Healthcare Innovation

Tue Jul 10 19:01:50 EDT 2018

https://www.careersinfosecurity.com/cybersecurity-critical-to-
healthcare-innovation-a-11181

As the Department of Health and Human Services explores how to spur
innovation and investment in the healthcare sector, cybersecurity is among
the top issues that need to be addressed, according to some industry
organizations submitting feedback.

HHS in June issued a request for information soliciting public comment "on
a planned initiative of the Office of the Deputy Secretary of HHS to
develop a workgroup to facilitate constructive, high-level dialogue between
HHS leadership and those focused on innovating and investing in the
healthcare industry."

In its RFI, HHS said it was seeking comment "on how to structure a
workgroup, or other form of interaction between the department and such
participants in the healthcare industry, in order to best support
communication and understanding between these parties that will spur
investment, increase competition, accelerate innovation, and allow capital
investment in the healthcare sector to have a more significant impact on
the health and well being of Americans."

Cybersecurity Threats

But along with intentions to spur innovation and investment in the
healthcare sector, HHS also needs to keep cybersecurity issues on the radar
of its new workgroup, some organizations noted in their feedback to HHS.

In its comments, the College of Healthcare Information Management
Executives - an association of CIOs and CISOs - noted the importance of
cybersecurity issues as part of standards in any discussions between HHS
and a new industry workgroup related to spurring healthcare technology
innovation and investment.

"One of the biggest challenges that the workgroup will face is identifying
an effective way to incentivize or otherwise promote ongoing, responsible
innovation," CHIME writes.

"We recommend that this new workgroup: 1) Offer the HHS secretary its
recommendations for a set of standards - based on ... [several] factors ...
that innovators should consider in developing technology to help treat
patients and help caregivers; and 2) HHS use the recommendations to develop
a voluntary framework for use by innovators."

Cybersecurity is among factors that need to be part of any recommended
standards embraced by innovators in healthcare, CHIME writes.

"The cybersecurity threats in healthcare are mounting, increasing costs to
the industry and creating patient safety concerns," CHIME writes.
"Cybercrime in healthcare settings is now a lucrative industry for bad
actors. The growing nature of our interconnected healthcare world is also
raising the stakes for the likelihood of negative patient outcomes
attributed to a cyber event. Innovations in technology must consider these
growing threats."

Patient IDs

Among other critical factors that CHIME says need to be among potential
recommended standards embraced by healthcare innovators are a
"prioritization of ethical considerations," the involvement of clinicians
and patients early in design and rollout phases. and supporting a uniform
way to uniquely and accurately identify patients and connect them to their
medical records.

A current lack of standards related to identifying patients is "a barrier
to maximizing the benefits of existing and emerging technologies," CHIME
writes. "Consistently identifying patients across health systems and
different electronic health record platforms is a significant challenge. As
patients seek care at different providers and seek the most cost-effective
treatment, this situation will only grow more complicated."

CHIME is among several healthcare information technology-related
organizations that have for years been calling for the industry to improve
its patient ID record matching efforts in order to bolster patient privacy
and safety.

Congress more than 20 years ago banned the Department of Health and Human
Services from funding a unique national patient identifier. Some trade
groups, including CHIME, have long argued that the lack of nationwide
patient ID standards hinders safe and secure health information exchange at
a national level.

Workgroup Membership

In its comments, CHIME also recommends that membership of a new HHS
workgroup to help spur technology innovation and investment "should consist
of broad consensus of stakeholders," including healthcare CIOs and CISOs.

"The privacy and security of patient data - as well as the federal and
state regulations governing such information - must be considered as new
innovations and technologies are incorporated into healthcare delivery
systems," CHIME writes.

Other workgroup members should include "on-the-ground" providers,
clinicians and other practitioners; patients and caregivers; EHR vendors;
and "innovators of all sizes and types," CHIME writes.

"Some areas where expertise will be necessary is in genomics, machine
learning, voice recognition and cybersecurity so that responsible
innovation can take place."

Better Coordination Needed?

The American Medical Association wrote that it worries about "prescriptive
regulations" and cited privacy and security regulatory issues among areas
that need to be better coordinated when it comes to healthcare technology.

"It is our experience that excessive regulation, or regulation that is too
prescriptive, contributes to myriad negative consequences," writes the AMA,
which represent physicians. "As such, HHS must contemplate downstream
policy implications as a core function of its effort. HHS should also
establish a coordinating effort to facilitate cross-department
collaboration. For instance, the Office of Civil Rights, the Office of
Inspector General, the Office of the National Coordinator for Health IT,
and the Food and Drug Administration have differing perspectives on and
authority over health information security."

Without alignment across the federal government on these issues, the AMA
writes, "health IT developers, health systems and physicians will
increasingly encounter conflicting guidance, which stymies innovation and
adoption."

In terms of potential workgroup membership, the AMA notes it is a founding
member of Xcertia, a non-profit focused on the development of guidelines
for mobile health apps.

"There are currently more than 25 leading organizations participating, as
well as a recent partnership with the Consumer Technology Association.
Initial content has been completed covering four areas: operability,
security, privacy and clinical evidence/content. Workgroups have since been
assembled to focus on these topics and planning is underway for related
validation studies," AMA writes.

Given that representatives from both the HHS' ONC and FDA are ex officio
members of Xcertia, "we recommend that HHS leverage Xcertia's efforts and
expertise," AMA adds.

A HHS official says the department received comments from about 100
healthcare industry stakeholders, including trade groups, technology
vendors, software developers and healthcare providers. HHS will dive into
the comments soon and then refine its plans for the workgroup based on the
comments, likely by September, the official says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180710/7d1f12fd/attachment.html>