Skip to content Skip to navigation

Washington Debrief: Ransomware Subject of Senate Hearing

May 23, 2016
by Leslie Kriegstein, Vice President of Congressional Affairs, CHIME
| Reprints
Click To View Gallery

Congressional Affairs

Ransomware Subject of Senate Hearing

Key Takeaway: Recognizing that hospitals and health systems are not the bad actor in incidents such as ransomware attacks, the Senate Committee on the Judiciary examined what authority the nation’s law enforcement agencies need to pursue botnets and to prosecute those illegally accessing or manipulating data.

Why It Matters: Congress has taken a great interest of the past few years in how to better protect data, whether it be health, financial or otherwise. The Subcommittee on Crime and Terrorism, led by Senators Lindsay Graham (R-SC) and Sheldon Whitehouse (D-RI), explored how the nation could hold these bad actors criminally liable if patient lives are jeopardized by a ransomware or other malware attack. Senator Graham cited that “locking down a hospital” via a ransomware attack is not just an issue of money, it puts lives at risk.

While the hearing was not specifically focused on healthcare, given the recent coverage of ransomware incidences in the healthcare industry, College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) submitted a statement for the hearing record outlining the current state of the industry’s cybersecurity readiness and provided suggestions on how to better position the nation’s health systems to fend off such attacks.

The House Committee on Energy and Commerce will discuss the cyber readiness of the Department of Health and Human Services (HHS) through the lens of a bill (H.R. 5068) during a hearing on Wednesday, May 25. The HHS Data Protection Act would move the Chief Information Security Officer (CISO) position away from reporting to the Chief Information Officer (CIO), instead making it a position equal to the CIO and directs that the CISO report to Assistant Secretary for Administration at HHS.

Congress Keeps Pressure on VA to Outline Future EHR plans

Key Takeaway: The Military Construction and Veterans Affairs (MilCon/VA) spending legislation that was passed by the House and Senate last week requires the Department of Veterans Affairs (VA) to report to Congress a plan for keeping its VistA electronic record or moving to a new system. The plan must include a proposal with metrics, time frames and a cost estimate.

Why It Matters: The House passed a bill (H.R. 4974) on a 295-129 vote, the Senate voted 89-8 last Thursday to pass the 2017 VA spending bill that includes $260 million for the VA to modernize its EHR.

As has been in past VA spending bills, Congress will withhold a certain amount of the department's IT budget until it submits progress reports on meeting interoperability with the Department of Defense (DOD) EHR system.

Federal Affairs

Scuttlebutt on APIs

Why it Matters: The chatter on APIs continue to take center stage in Washington.

Key Takeaway: Meaningful Use Stage 3 and MACRA will require the use of APIs so that patients can more easily access their health information.  The precision medicine effort of the White House has also pinned its hopes on use of APIs to facilitate data sharing. There are no requirements in the 2015 version of CEHRT for standardizing APIs, which is expected to create challenges for the desired state of seamless data exchange. With providers being required to enable APIs to facilitate patient access, concerns abound around introducing more security threats into an already taxed environment.  Here are some highlights on APIs from this week:

FDA and EHRs for Clinical Trial Use

Key Takeaway: FDA publishes draft guidance involving EHRs and clinical trials

Why it Matters: This guidance is intended to assist sponsors, clinical investigators, contract research organizations, institutional review boards (IRBs), and other interested parties on the use of electronic health record (EHR) data in FDA-regulated clinical investigations. This guidance provides recommendations on:

  • Deciding whether and how to use EHRs as a source of data in clinical investigation
  • Using EHRs that are interoperable with electronic systems supporting clinical investigations
  • Ensuring the quality and the integrity of EHR data that are collected and used as electronic source data in clinical investigations

Comments are due to the FDA on July 18, 2016.