Industry Groups Call for Anti-Kickback Waiver for Cybersecurity Tech | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Industry Groups Call for Anti-Kickback Waiver for Cybersecurity Tech

October 31, 2018
by Heather Landi, Associate Editor
| Reprints
Other stakeholders are asking for waivers for vendors to provide free mobile apps under value-based care arrangements, and to allow providers pay “fair market value” for the exchange of patient data

Several healthcare and health IT industry groups are asking the U.S. Department of Health and Human Services (HHS) to create a wavier under anti-kickback rules to enable the donation of healthcare cybersecurity technology and services to help improve the cybersecurity posture of providers and promote secure data exchange.

The HHS Office of the Inspector General (OIG) issued a request for information (RFI) August 27 to gather stakeholder feedback on how to address modernization of the federal Anti-Kickback Statute to advance beneficial value-based health care. The OIG RFI contained a broad range of questions and topics the agency wants stakeholders to comment on, including potential arrangements that the industry is interested in pursuing, such as care coordination, value-based arrangements, alternative payment models, arrangements involving innovative technology, and other novel financial arrangements that may implicate the anti-kickback statute or beneficiary inducements civil monetary penalty (CMP).

According to the RFI, HHS OIG also wants to know what types of incentives providers and suppliers are interested in providing to beneficiaries and how those incentives would improve care quality, care coordination, and patient engagement. The RFI’s comment period ended October 26.

The Federal Anti-kickback statute provides criminal penalties for individuals or entities that knowingly and willfully offer, pay, solicit, or receive remuneration to induce or reward the referral of business reimbursable under Federal healthcare programs.

While the OIG is seeking input on the broader question of removing regulatory barriers to care coordination, the College of Healthcare Information Management Executives (CHIME) and the Healthcare Sector Coordinating Council (HSCC) both provided comments on how OIG can take steps to improve cybersecurity in healthcare.

Specifically, CHIME and HSCC both noted, in their letters, that cybersecurity threats pose a significant risk to patient safety and called on HHS to create a waiver under the anti-kickback rules that allows for the donation of cybersecurity technology and services to help improve the cybersecurity posture of providers, better protect patient information, improve patient safety, encourage secure data exchange, and help fortify the sector from growing global threats.

“The security of the healthcare system is only as strong as its weakest link, so it would benefit the entire healthcare industry to support the provision of cybersecurity resources outside of large health systems. Doing so would help to protect a community’s larger systems, as well as the affiliated small and medium-sized practices,” the HSCC wrote.

“Creating a waiver under the anti-kickback rules that allows for the donation of cybersecurity technology (both hardware and software), training, and tools to providers (i.e. under-resourced or less sophisticated ones) will improve the overall cybersecurity posture of our industry and will help guard against cyberattacks that threaten patient safety,” HSCC wrote.

HSCC also recommended that OIG work with public and private sector subject matter experts to develop a specific definition of cybersecurity technology when developing this exception.

CHIME also supports a stand-alone cybersecurity safe harbor that permits the donation or related items and services. Both CHIME and HSCC noted that a safe harbor is particularly needed for small to mid-sized healthcare providers and under-resourced providers that do not have the necessary cybersecurity resources or expertise.

“Many providers, especially smaller ones, have taken advantage of the option to accept donated electronic health records (EHRs) as a result of the safe harbor permitting this. A likeminded safe harbor for cybersecurity would thus be welcomed by some of our members,” CHIME wrote.

While some have discussed the notion of modifying the existing EHR safe harbor, CHIME recommends a separate, stand-alone safe harbor specifically designed for the purposes of supporting the donation of cybersecurity items and services. CHIME also recommends that OIG anti-kickback requirements and safe harbors be aligned with Federal Trade Commission (FTC) requirements for clinically integrated networks (CINs).

In its comments, the medical device trade group AdvaMed (Advanced Medical Technology Association) noted that the Anti-Kickback Statute has not been updated to keep pace with changes to reimbursement under federal health care programs, and this creates real-world risks for healthcare organizations when engaging in “legitimate, good-faith arrangements necessary to coordinate care, control costs and improve outcomes, absent clear safe-harbor protection.”

AdvaMed is calling for new safe harbor protections for value-based pricing and warranty arrangements to allow vendors to provide free mobile apps, training and other services to providers to assist with care coordination and to promote the goals of value-based care.

athenahealth, the EHR and practice management software company, also submitted comments in response to the RFI, specifically requesting a carve-out in Stark and anti-kickback laws that would let providers pay “fair market value” for the exchange of patient data. “The new exceptions under the Anti-Kickback Statute and Stark Laws will allow for a true functioning market for the exchange of health information,” Greg Carey, athenahealth's director of government and regulatory affairs, wrote.

Patient data transfer most frequently occurs in the context of a care referral and any accompanying transfer of value is prohibited under the Stark and/or anti-kickback laws, which forces “the curator of quality data” to “assume the cost of electronic transfer of information to a recipient.” Essentially, the sender of the data ends up paying for the “privilege of sending data electronically to a recipient,” which operates as an "effective economic disincentive to information sharing in healthcare,” Carey wrote in the letter.

"It is our experience that information exchange occurs best when there is a business case and problem to solve. We believe that new safe harbors to Stark and Anti-Kickback statute to allow for the fair market value payment for the exchange of health data will spur interoperability forward and allow the market to further realize the benefits of health IT on lowering costs and improving patient outcomes,” Carey wrote.


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Twelve States File First Multistate Healthcare Data Breach Lawsuit

December 5, 2018
by Heather Landi, Associate Editor
| Reprints

State Attorneys General from a dozen states filed a lawsuit Monday against several health IT companies, and their subsidiaries, alleging that poor security practices led to theft of protected health information (PHI) of 3.9 million individuals during a data security incident in 2015.

The 66-page complaint, filed in the U.S. District Court for the Northern District of Indiana, names four companies or subsidiaries, including Fort Wayne, Ind.-based Medical Informatics Engineering and NoMoreClipboard LLC. In the lawsuit, the state AGs allege that the companies failed to take “adequate and reasonable measures” to ensure their computer systems were protected.

Over several weeks in May, hackers infiltrated and accessed the “inadequately protected computer systems” of the companies and were able to access and exfiltrate the electronic PHI of 3.9 million individuals, whose PHI was contained in an electronic medical record stores in the companies’ computer systems. The personal information obtained by the hackers included names, addresses and Social Security numbers, as well health information such as lab results, health insurance policy information, diagnosis and medical conditions.

The lawsuit marks the first time state Attorneys General have joined together to pursue a HIPAA-related (Health Insurance Portability and Accountability Act) multistate data breach case in federal court, according to the Arizona Attorney General’s office. The lawsuit was filed by attorneys general from Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

According to a media report from, Arizonians were among those affected when hackers infiltrated WebChart, a web application operated by Indiana-based Medical Informatics Engineering Inc. and NoMoreClipboard (collectively known as MIE).

The 12 state AGs allege that the companies “failed to take reasonably available steps to prevent the breaches,” and “failed to disclose material facts regarding the inadequacy of their computer systems and security procedures to properly safeguard patients’ PHI, failed to honor their promises and representations that patients’ PHI would be protected, and failed to provide timely and adequate notice of the incident, which caused significant harm to consumers across the U.S,” according to the complaint.

Further, the companies’ actions resulted in the violation of the state consumer protection, data breach, personal information protection laws and federal Health Insurance Portability and Accountability Act (HIPAA) statutes, the lawsuit states.

In July 2015, MIE issued a statement acknowledging the data breach, classifying it as a “data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record.” The company also referred to it as a “sophisticated cyber attack.”

The company said that on May 26, 2015 it discovered suspicious activity in one of its servers. “We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement's investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data,” the company said in a statement three years ago.

At the time, the company said it was continuing to take steps to remediate and enhance the security of its systems. “Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset,” the company said.

In a statement, Arizona Attorney General Mark Brnovich said the 12 AGs allege MIE is liable because, among other things, “it failed to implement basic industry-accepted data-security measures to protect ePHI from unauthorized access; did not have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within its system; had an inadequate and ineffective response to the breach; and failed to encrypt the sensitive personal information and ePHI within its computer systems, despite representations to the contrary in its privacy policy.”

Minnesota Attorney General Lori Swanson said in a news release, “Patients expect health companies to protect the privacy of their electronic health records. This company did not do so.”

The lawsuit says the states are seeking unspecified statutory damages and civil penalties.

More From Healthcare Informatics


Top Three 2019 Healthcare Cybersecurity Trends

December 3, 2018
by Christian Aboujaoude, Industry Voice, Senior Director Enterprise Architecture, Scripps Health
| Reprints
There are non-complex strategies that can be easily implemented that can help keep data secure

In recent months, the healthcare industry has been the number one target of cyberattacks, exposing tens of millions of customers’ identities around the world, costing more than $1 billion USD in losses.

Executives from the National Association of County and City Health Officials say that healthcare breaches can cost up to $400 a patient, and yet, only 33 percent of the industry has taken the preventative measure of protecting themselves properly.  With billions of people across the world entrusting healthcare organizations to protect their identities, and these same organizations relying on their critical infrastructure to secure it all, it becomes crucial to not just have the right cybersecurity solution in place to stop an attack before it has a catastrophic impact, but to ensure they are able to prevent future ones from ever happening.

My provider organization— the San Diego-based Scripps Health—takes cybersecurity seriously, and has for many years. In 2013, we determined to take an identity-first approach to protect both internal and external data, and engaged with firms such as SecureAuth to pioneer an identity solution that would protect both internal and external data according to our unique needs. Today, we continue to evolve our solution to keep up emerging threats, and to stay ahead of threat trends and attackers.

Below are some of the biggest cybersecurity threat trends facing the healthcare industry for 2019, and some recommendations to combat them.

The growing trend of blurring lines between personal and business activities online


Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

We are starting to see a kind of “blurring-of-the-lines” between personal activity on the Internet, and the activities that are done from a business perspective. For example, people often use their work email address for personal things, and/or they don’t know how to disable certain device tracking settings, such as cookies, that track their every move. Unfortunately, they don’t believe that it’s actually a problem, when indeed, it is. It’s like leaving the door open for people with malintent to send phishing emails so targeted that it’s often hard to decipher what’s real.  

Even more sophisticated, very targeted phishing attacks

According to one 2018 study, mobile device phishing attacks are up 85 percent, year-over-year, since 2011, and the reason has to do with the increasing amount of data collected by every site and app visited on your mobile device.

The easiest thing to do is go on your phone, do a search on the Internet, and within a couple of hours, you go onto Facebook or Instagram, for example, and you’ll notice that all of a sudden, you have targeted marketing in your feed based on your previous search.  That data from your search is also sent to other organizations, which means many things people do online is no longer private, leaving you open for a very targeted phishing attack.

To try to prevent these emails from getting through, we're constantly improving the environment by adding triggers that identify whether our users should trust or not.

The continual rapid rise of identity theft

2017 saw an unprecedented amount of identities stolen, to the tune of 158 million social security numbers and 16.5 million credit card numbers—and 27 percent of those thefts belonged to the healthcare industry, according to Experian’s latest identity theft statistics. It’s the continual rise of these thefts that has prompted us to think outside of the box, and into the future, on how to protect patients and employees.

We need to create an external identity and an internal identity, and what I mean by that is, we need the external world to see us one way (our presence on the Internet), and then the internal systems need to have a mask of sorts, like a VPN, to prevent attackers from being able to monitor activity.  From a cloud perspective, it’s imperative to use a service proxy from an identity provider to authenticate back and forth.

We use biometrics to ensure that the right user is supposed to be taking the action they are trying to take. We also lock down access to certain websites to be from an internal IP range, versus having the open Internet all the time.  Taking these measures reduces the amount of exposure that attackers have from an outside perspective.

What’s more, here are some things that are easily implemented that can help keep data secure:

Continuous education

At Scripps Health, we implemented a mandatory, continuous education program for employees that helps them to understand how their personal actions on business devices, emails, and so forth, can have a detrimental effect on the organization.

It all starts with humans, and whether intentional or unintentional, we all make mistakes.  Thus, we are working to reduce these behaviors while avoiding the creation of a negative and overly complex experience for our employees.  From a user perspective, security is attached to everything we do. We aren’t always aware of that, and we need to be.  From an IT perspective, it’s around understanding business process in order to build the right cybersecurity framework.

Continuous evolution

While education is a significant preventative measure, the evolution of the environment to account for future new kinds of attacks is even greater.

Most people have not spent a lot of time thinking about how they change their environment, how they change their actions, and leverage a Security Operations Center (SOC), and in my opinion, that needs to change significantly.  I really like to implement processes that we can leverage and expand on. It’s vital to the health of our infrastructure.

Having the right tools in place

To continue to protect the environment, we have made a significant investment in the tools we use to keep our infrastructure safe.

We believe that having the right tools in place reduces negativity and complexity in our environment.  In fact, I don’t subscribe to the opinion of needing to have complexity to have security. The more complex your infrastructure is, the more exposed you are.

Related Insights For: Cybersecurity


Atrium Health’s Billing Vendor Hacked, 2.65M Patients Affected

November 28, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The personal health data of more than 2 million Atrium Health patients has been compromised following a hack on the organization’s third-party billing vendor, AccuDoc.

According to a joint news release from Atrium Health, formerly Carolinas HealthCare System headquartered in Charlotte, and the billing vendor AccuDoc, an unauthorized third party gained access to AccuDoc’s databases sometime between September 22 and September 29. Importantly, noted officials, forensic investigations indicated that the information was not removed from AccuDoc’s systems.

According to officials, the databases accessed by the unauthorized third party contained information provided in connection with payment for healthcare services at an Atrium Health location, and at locations managed by Atrium Health, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC (New Hanover Regional Medical Center) Physician Group, Scotland Physicians Network and St. Luke’s Physician Network.

Information that may have been accessed includes certain personal information about patients and guarantors, such as first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, dates of service and, in some instances, Social Security numbers.

Officials did note that since Atrium Health’s core systems and those of its managed locations are separate from AccuDoc’s systems and were not involved in this incident, personal clinical and medical records were not involved, nor was financial account information, such as bank account numbers or credit card or debit card information.

According to an Atrium Health spokesperson, “The exact number [of affected records] is hard to pinpoint, but based on our investigation it looks like the unauthorized user gained access to databases that had about 2.65 million records. Of the 2.65 million, it appears around 700,000 included Social Security numbers. It is very important to understand that the data was accessed but not downloaded in this incident. Our forensics reports indicate they were not able to actually download or remove the files.”

However, according to a report in the Charlotte Observer, AccuDoc general counsel Kenneth Perkins did not rule out that more patients might be affected than the number disclosed, adding that “it’s highly unlikely the number will grow. That’s because the current figures are based on entire databases of patients out of an abundance of caution,” he said, according to that report. The story also noted that one other AccuDoc client, Baylor Medical Center at Frisco in Texas, was affected by the hack. Data for about 40,000 people were impacted at that hospital.

Atrium Health operates 44 hospitals across North Carolina, South Carolina and Georgia, and is the largest healthcare provider and employer in Charlotte. AccuDoc is a Morrisville, N.C.-based company that provides billing and other services for healthcare providers.

Currently, AccuDoc and Atrium Health are contacting patients and guarantors whose information was in the affected databases “out of an abundance of caution,” officials said.

See more on Cybersecurity

betebet sohbet hattı betebet bahis siteleringsbahis