Some of the nation’s top healthcare cybersecurity leaders testified before Congress Wednesday morning to support the proposed HHS Data Protection Act (H.R. 5068). That bill would elevate the position of chief information security officer at the Department of Health and Human Services by Oct. 1, 2016 to the same level as the chief information officer within the HHS Office of the Assistant Secretary for Administration. The HHS CISO would be appointed by the president.
Leaders of the College of Health Information Management Executives (CHIME), the Healthcare Information and Management Systems Society (HIMSS) North America, health IT consulting firm CynergisTek and the Atlantic Council think tank addressed members of the House Energy and Commerce Subcommittee on Health. They spoke of the dangers, current and predicted, facing healthcare organizations and their patients from cyber attacks. And they iscussed their responses to those challenges and flaws in existing privacy laws, as well as best practices that could shape the organizational role of the HHS CISO.
Behavioral Health, Interoperability and eConsent: Meeting the Demands of CMS Final Rule Compliance
In a webinar on April 16 at 1pm ET, Aneesh Chopra will moderate a discussion with executives from DocuSign, Velatura, and behavioral health providers on eConsent, health information exchange and compliance with the CMS Final Rule on interoperability.
CHIME Chairman Marc Probst, who also serves as vice president and CIO of Intermountain Healthcare in Salt Lake City, said security should not be an afterthought.
“Everyone needs to make it a priority,” Probst said in a prepared statement, noting: “No industry can enable perfect security; rather organizations must enumerate and manage their risks.”
Probst said HHS faces similar cybersecurity organizational challenges as today’s healthcare CIOs.
“Just as healthcare institutions must coordinate efforts to thwart cyber threats, it is vital that HHS have a coordinated plan to address threats to the data and systems used and housed by the department.”
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Michael McMillan, chairman and CIO of Austin, Texas-based CynergisTek, said he supports elevation of the CISO role. “When these two positions have equal authority, are both focused on a common mission and working collaboratively, the CIO and CISO form a complementary and effective team to ensure the protection of information assets for an organization,” McMillan said.
“When there is disparity in these relationships there is opportunity for conflicts of interest to arise, stifled or abbreviated discussion of risk and an imbalance of priority.”
McMillan said the healthcare industry poses attractive targets to attackers because, unlike other industries, it presents “a rare opportunity to steal all forms of sensitive personal information — medical information, personal information and financial information, all in a single attack.”
McMillan said a 2015 study by information security firm Symantec found more than 430 million new unique pieces of malware, a 36 percent increase from 2014, and increases in ransomware attacks from 3,000 per month to 4,000 a day by early this year.
Samantha Burch, HIMSS senior director of congressional affairs, said healthcare organizations face a range of challenges from a variety of “bad actors” employing diverse attack strategies.
“Such incidents have included massive amounts of medical information being stolen and sold on the black market at a premium price, hacktivists defacing websites and launching cyber attacks for a political or a socially motivated purpose, hackers leveraging cyber extortion techniques to threaten the release of data in exchange for the fulfillment of a demand, and ransomware attacks holding medical information and data hostage in exchange for ransom,” Burch said.
Burch said the House bill “marks a great opportunity to better position HHS to meet the growing challenges of securing health information, information critical to moving the nation’s innovation and health agenda.”
Photo: Flickr user ttarasiuk
