The Workgroup for Electronic Data Interchange (WEDI) says that the Department of Health and Human Services (HHS) should create an Office of National Cybersecurity Policy led by a “cyber policy czar.”
In the wake of the high-profile Change Healthcare and Ascension cyberattacks, WEDI sent a letter to HHS Secretary Xavier Becerra, identifying issues and recommendations aimed at mitigating the potential consequences of a cyberattack on healthcare operations and patient safety.
“Recent cyberattacks, while unprecedented, are just the latest example of what has become unfortunately all too commonplace in the healthcare industry,” said Charles Stellar, WEDI President and CEO, in a statement. “When administrative transactions such as medication prescriptions, claims, and treatment authorizations cannot be conducted, provider operations and even patient care can be impacted.”
WEDI’s membership identified several actions the federal government could take to minimize the negative impact a cyberattack can have on the healthcare system. WEDI’s recommendations to HHS included:
• The recommended Office of National Cybersecurity Policy (ONCP) would not replace any existing agency or usurp any other agency’s jurisdiction or function, but rather drive a centralized process of cyber incident reporting, coordinating harmonization efforts across federal agencies stakeholder education (with a focus on under-resourced organizations), steer funding for stakeholder cyber preparedness, develop and deploy national contingency planning, and serve as the point agency for industry recovery following a major cyber incident.
• Conduct Select Audits and Educate Industry. HHS, through its Office for Civil Rights (OCR), should conduct proactive, comprehensive select audits of the healthcare sector. Through these select audits, OCR can identify best practices that will provide guidance targeted to address compliance challenges and be leveraged in an educational campaign to better prepare covered entities to address cyber threats.
• Establish a Voluntary Security Audit Program. OCR should be directed to establish a program that would permit covered entities to voluntarily undergo a security audit. Those submitting their policies and procedures for voluntary review should not be subject to enforcement action should any deficiencies be identified during the audit. Rather, the organization should be given sufficient time to correct any issues.
• Accredit the Accreditation Programs. HHS should consider developing minimum standards for third-party accreditation/certification entities. A minimum set of security, privacy and cybersecurity standards could be mandated to ensure that an accredited or certified organization would be in the best position to avoid a cyberattack or mitigate the effects of a cyberattack.
• Implement Administrative Actions. HHS should build on its actions following the recent cyberattack on a major clearinghouse. Should a major cyber incident occur, HHS should have in place and be ready to implement actions to immediately assist data exchange processes between providers and health plans. These actions could include:
• Expedite new electronic data interchange (EDI) enrollment.
• Accept paper claims.
• Relax or eliminate select prior authorization requirements.
• Provide advance funding.
• Delay or waive data reporting requirements.
• Issue trading partner post-attack communication guidance.
• Explore opportunities to increase cybersecurity funding.
WEDI also suggests that HHS designate a week as “National Health Care Cyber Fire Drill Week.” This would be a designated period when the federal government would lead the healthcare industry in promoting cyber awareness and action.