Electronic Healthcare Records , Governance & Risk Management , Privacy

Why Cybersecurity Is Critical to Healthcare Innovation

Groups Offer Feedback on HHS's Plans for Workgroup Focused on Spurring Investments
Why Cybersecurity Is Critical to Healthcare Innovation

As the Department of Health and Human Services explores how to spur innovation and investment in the healthcare sector, cybersecurity is among the top issues that need to be addressed, according to some industry organizations submitting feedback.

See Also: OnDemand | Driving Security, Privacy, & Compliance Goals by Accelerating HITRUST Certification

HHS in June issued a request for information soliciting public comment "on a planned initiative of the Office of the Deputy Secretary of HHS to develop a workgroup to facilitate constructive, high-level dialogue between HHS leadership and those focused on innovating and investing in the healthcare industry."

In its RFI, HHS said it was seeking comment "on how to structure a workgroup, or other form of interaction between the department and such participants in the healthcare industry, in order to best support communication and understanding between these parties that will spur investment, increase competition, accelerate innovation, and allow capital investment in the healthcare sector to have a more significant impact on the health and well being of Americans."

Cybersecurity Threats

But along with intentions to spur innovation and investment in the healthcare sector, HHS also needs to keep cybersecurity issues on the radar of its new workgroup, some organizations noted in their feedback to HHS.

In its comments, the College of Healthcare Information Management Executives - an association of CIOs and CISOs - noted the importance of cybersecurity issues as part of standards in any discussions between HHS and a new industry workgroup related to spurring healthcare technology innovation and investment.

"One of the biggest challenges that the workgroup will face is identifying an effective way to incentivize or otherwise promote ongoing, responsible innovation," CHIME writes.

"We recommend that this new workgroup: 1) Offer the HHS secretary its recommendations for a set of standards - based on ... [several] factors ... that innovators should consider in developing technology to help treat patients and help caregivers; and 2) HHS use the recommendations to develop a voluntary framework for use by innovators."

Cybersecurity is among factors that need to be part of any recommended standards embraced by innovators in healthcare, CHIME writes.

"The cybersecurity threats in healthcare are mounting, increasing costs to the industry and creating patient safety concerns."
—CHIME

"The cybersecurity threats in healthcare are mounting, increasing costs to the industry and creating patient safety concerns," CHIME writes. "Cybercrime in healthcare settings is now a lucrative industry for bad actors. The growing nature of our interconnected healthcare world is also raising the stakes for the likelihood of negative patient outcomes attributed to a cyber event. Innovations in technology must consider these growing threats."

Patient IDs

Among other critical factors that CHIME says need to be among potential recommended standards embraced by healthcare innovators are a "prioritization of ethical considerations," the involvement of clinicians and patients early in design and rollout phases. and supporting a uniform way to uniquely and accurately identify patients and connect them to their medical records.

A current lack of standards related to identifying patients is "a barrier to maximizing the benefits of existing and emerging technologies," CHIME writes. "Consistently identifying patients across health systems and different electronic health record platforms is a significant challenge. As patients seek care at different providers and seek the most cost-effective treatment, this situation will only grow more complicated."

CHIME is among several healthcare information technology-related organizations that have for years been calling for the industry to improve its patient ID record matching efforts in order to bolster patient privacy and safety.

Congress more than 20 years ago banned the Department of Health and Human Services from funding a unique national patient identifier. Some trade groups, including CHIME, have long argued that the lack of nationwide patient ID standards hinders safe and secure health information exchange at a national level.

Workgroup Membership

In its comments, CHIME also recommends that membership of a new HHS workgroup to help spur technology innovation and investment "should consist of broad consensus of stakeholders," including healthcare CIOs and CISOs.

"The privacy and security of patient data - as well as the federal and state regulations governing such information - must be considered as new innovations and technologies are incorporated into healthcare delivery systems," CHIME writes.

Other workgroup members should include "on-the-ground" providers, clinicians and other practitioners; patients and caregivers; EHR vendors; and "innovators of all sizes and types," CHIME writes.

"Some areas where expertise will be necessary is in genomics, machine learning, voice recognition and cybersecurity so that responsible innovation can take place."

Better Coordination Needed?

The American Medical Association wrote that it worries about "prescriptive regulations" and cited privacy and security regulatory issues among areas that need to be better coordinated when it comes to healthcare technology.

"It is our experience that excessive regulation, or regulation that is too prescriptive, contributes to myriad negative consequences," writes the AMA, which represent physicians. "As such, HHS must contemplate downstream policy implications as a core function of its effort. HHS should also establish a coordinating effort to facilitate cross-department collaboration. For instance, the Office of Civil Rights, the Office of Inspector General, the Office of the National Coordinator for Health IT, and the Food and Drug Administration have differing perspectives on and authority over health information security."

Without alignment across the federal government on these issues, the AMA writes, "health IT developers, health systems and physicians will increasingly encounter conflicting guidance, which stymies innovation and adoption."

In terms of potential workgroup membership, the AMA notes it is a founding member of Xcertia, a non-profit focused on the development of guidelines for mobile health apps.

"There are currently more than 25 leading organizations participating, as well as a recent partnership with the Consumer Technology Association. Initial content has been completed covering four areas: operability, security, privacy and clinical evidence/content. Workgroups have since been assembled to focus on these topics and planning is underway for related validation studies," AMA writes.

Given that representatives from both the HHS' ONC and FDA are ex officio members of Xcertia, "we recommend that HHS leverage Xcertia's efforts and expertise," AMA adds.

A HHS official says the department received comments from about 100 healthcare industry stakeholders, including trade groups, technology vendors, software developers and healthcare providers. HHS will dive into the comments soon and then refine its plans for the workgroup based on the comments, likely by September, the official says.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.