Voluntary Federal Cybersecurity Framework Released
Key Takeaway: The National Institute of Standards and Technology (NIST) released a final version of a voluntary framework for reducing cybersecurity risks to critical infrastructure, which includes the healthcare sector.
Why it Matters: CIOs should review the framework and understand how it aligns with or distracts from their current strategy. Federal officials will soon begin work on a healthcare-sector-specific instantiation of the framework, and CHIME will play an active role in helping craft the final version with input from member experiences.
Developed in response to an executive order issued by the president last year, the voluntary framework consists of standards, guidelines and practices to promote the protection of critical infrastructure. The framework provides a common taxonomy and mechanism for organizations to:
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state;
- Communicate among internal and external stakeholders about cybersecurity risk.
NIST will continue to update the document based on feedback from users, according to agency officials, and they also announced an initiative with the Department of Homeland Security to work with certain sectors, including healthcare, to develop guidance on how to implement the framework.
CHIME submitted comments on the preliminary framework and encourages members to use the final framework in developing their risk reduction and management programs.
On Tuesday, February 18, CHIME and the AHA will host a members-only webinars on cybersecurity issues for hospitals. To register for the webinar, which runs from 1 to 2 p.m. ET, click here.
Legislation & Politics
Bill Would Limit FDA Regulatory Oversight of Mobile Software, Devices
Key Takeaway: Sens. Deb Fischer (R-Neb.) and Angus King (I-Maine) introduced the Preventing Regulatory Overreach to Enhance Care Technology (PROTECT) Act (S. 2007). This bill states that clinical software and health software will not be regulated by FDA and therefore is exempt from the 2.3% device tax.
Why it Matters: The current regulatory approval process for medical devices and software cannot keep up with the rapid innovation cycles of this technology, yet the approval process cannot be changed without legislative action.
Many groups, including CHIME, have called for a risk-based regulatory framework to enable innovation and improve patient care. If the PROTECT Act were to become law, low-risk technologies like electronic health records, clinical decision support (CDS) software, scheduling software and educational wellness apps would not be regulated by the FDA, while apps that diagnose, treat or prevent diseases would be regulated. The bill also gives NIST oversight over technical standards used by clinical software, which includes software that captures clinical information but does not change or affect a person’s health.
This bill is very similar to a house bill introduced by Rep. Marsha Blackburn (R-Tenn.) in October 2013 called the Sensible Oversight for Technology which Advances Regulatory Efficiency (SOFTWARE) Act (H.R.3303). Both bills call for a risk-based framework that does not regulate clinical and health software.
Opponents of these measures argue that some high-risk CDS software no longer would be regulated by FDA, and that lack of oversight therefore increases the risk of patient harm. It is unclear whether either act will be modified to meet these concerns.
2014 Work Plans Revealed; Patient Safety, HIPAA Top Agency Agendas
Key Takeaway: In the past few weeks, some HHS agencies have issued their work plans for 2014. Patient Safety reporting will take the lion’s share of health IT work for the Agency for Healthcare Research and Quality (AHRQ), and the HHS Office of Inspector General has pledged to ramp up its oversight of Meaningful Use and the security of certified EHR technology.
Why it Matters: Healthcare IT executives can expect more aggressive audits, focused on how providers are protecting personal health information with certified EHRs. They also can expect more opportunities to work with patient safety organizations and vendor partners as HHS builds on patient safety plans finalized last year.
Among the big policy drivers of 2014, such as meaningful use and ICD-10, healthcare IT executives can expect patient safety and HIPAA security to be areas of significant activity for the federal government. In a special emphasis notice issued last week, AHRQ said it will use its health IT research funding to support projects that “promote post-deployment safety testing of EHRs for high prevalence, high impact EHR-related patient safety risks and focused research demonstration projects that provide evidence to inform the safe use of health IT.” The notice also said AHRQ will prioritize grant applications that focus on patient safety topics related to health IT and EHR system integrity, particularly research into mitigation strategies for EHR downtimes. The OIG also released its 2014 work plan recently. The HHS chief inspector said the office “will perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology.” A full listing of OIG’s extensive work plan can be found here.
Interested in Meeting Government Officials at HIMSS14?
CHIME Public Policy is busy coordinating meetings with leaders at CMS, ONC and other federal agencies. Please contact Jeff Smith, Sr. Director of Federal Affairs, for more information on times and dates.
Edited by Gabriel Perna