CHIME & AEHIS Call on Feds to Have Greater Transparency on Cybersecurity
Key Takeaway: CHIME and AEHIS last week submitted comments to National Institutes of Standards and Technology (NIST) on a Request for Information (RFI) on cybersecurity.
Why it Matters: NIST in August issued a RFI -- “Information on Current and Future States of Cybersecurity in the Digital Economy” – with goal of gathering input for its upcoming recommendations for strengthening cybersecurity. CHIME and AEHIS made nine overarching recommendations on the challenges and barriers to improving the current state of healthcare, including:
- The need for federal agencies to improve transparency of known threats in order for the healthcare industry to better implement risk mitigation strategies.
- The need for more actionable and plain English guidance about current threats.
- Since a growing number of medical devices are now connected to the internet and hospital networks, cybersecurity needs to be seen as a business issue related to patient safety, not just an Information Technology problem.
We also called for changes affecting the way compliance enforcement is handled, need for under-resourced providers, greater attention to maximizing protections afforded by Business Associate Agreements, patient safety, and the need to prioritize healthcare as a critical infrastructure.
FTC Hearing on Ransomware
Key Takeaway: Federal Trade Commission (FTC) tackles ransomware.
Why it Matters: In a signal that cybersecurity remains a growing concern for policymakers, the FTC last week hosted a special symposium on ransomware. A recording of the webinar can be found here. The commission explored a number of topics, including:
- How do ransomware extortionists gain access to consumer and business computers?
- What role can consumer and business education play in preventing ransomware infections?
- Are there steps consumers and businesses should be taking to reduce the risk of ransomware or to decrease its impact?
- Are there technological measures that computer operating system and web browser designers can take to prevent ransomware?
- Are there browser plug-ins or other tools that consumers and businesses can employ that will warn if their data is about to be encrypted?
- What can be learned from criminal law enforcement’s efforts to combat ransomware?
- If you fall prey to ransomware, should you pay the ransom?
- If you pay the ransom, how likely are you to receive the decryption key and be able to view your files?
- What happens if you don’t pay the ransom? Are your files lost forever?
The FTC is accepting comments on these topics through October 7.
CHIME Comments on OPPS Rule, Applaud 90-day Reporting, MU changes
Key Takeaway: CHIME submited comments on the Centers for Medicare and Medicaid Services (CMS) proposed hospital outpatient prospective payment system rule (OPPS).
Why it Matters: CMS’ proposed rule called for numerous changes to the Meaningful Use program for hospitals providing some much needed relief for both 2016 and later years. CHIME strongly supports the changes CMS has called for, while also highlighting additional areas that we feel warrant changes. We called on CMS to:
- Finalize the proposal for a 90-day reporting period for 2016 as quickly as possible and adopt a likeminded policy for future years as well;
- Reconsider the full-year reporting for electronic clinical quality measures (eCQMs) for hospitals and adopt a quarter reporting period instead;
- Align regulatory requirements for clinicians and hospitals in the Medicare and Medicaid programs as closely as possible in order to maximize the greatest degree of flexibility;
- Develop education tools for providers to help them navigate different sets of rules (i.e. Merit-based Incentive Program (MIPS) and Medicare versus Medicaid);
- Only require provider use of new technologies when:
- They have become widely available and their functionality has been proven to improve patient care (i.e. application programming interfaces (APIs) and patient-generated data (PGD)); and
- Assuming new technologies are found to be effective, do not require a full-year reporting for any new Meaningful Use measures in order to give both vendors and providers time to adapt to the new criteria.
- Reduce thresholds for hospitals for ePrescribing; the timeframe upon which information must be made available to patients upon discharge; secure messaging; patient-generated data (PGD); and public health and clinical data registry reporting; and
- Any mandates for using registries must be preceded by proven, common data standards that are broadly available in the EHRs and implemented by the registries.
CMS Announces More Flexibility under MACRA