Inside CHIME: CHIME and AEHIS Members Highlight Cybersecurity Policy Challenges at Congressional Briefing

Inside CHIME - header

By Leslie Krigstein, Vice President, Congressional Affairs

Last week, in celebration of National Health IT Week and the start of Cybersecurity Awareness Month, CHIME and AEHIS hosted a Congressional briefing to draw awareness to the mounting cybersecurity challenges facing healthcare organizations. The panel of CIOs and CISOs pointed to areas where policymakers can better assist the provider community to prepare for or fend off cybersecurity attacks leveraging the recommendations made by the Health Care Industry Cybersecurity Task Force.

The event titled, “The Critical State of Healthcare Cybersecurity: Leveraging the Recommendations Made by the Health Care Industry Cybersecurity Task Force,” was attended by Congressional staff, federal agency officials and industry partners.

The briefing kicked off with an update from the Department of Health and Human Services on the criticality of the issue. Steve Curren, the director for the Division of Resilience in the Office of Emergency Management within the Office of the Assistant Secretary for Preparedness and Response, recapped HHS’ cybersecurity efforts this year.

Attendees received background on the work of the Task Force from Theresa Meadows, senior vice president and CIO at Cook Children’s Health Care System and the co-chair of the Health Care Industry Cybersecurity Task Force. She offered an overview of the six areas in which the Task Force made recommendations.

The question of knowing how much security is enough was a popular one. Liz Johnson, CIO at Acute Care Hospitals & Applied Clinical Informatics, Tenet Healthcare, outlined the need for clear cybersecurity “rules of the road” and the value of not holding providers liable to cybersecurity incidents that occur despite practicing good cybersecurity hygiene.

Cletis Earle, vice president and CIO at Kaleida Health, spoke to the importance of information sharing, even across sectors, to improve industries’ overall cybersecurity posture. The sharing of cybersecurity threat indicators or information on a potential breach is a concept healthcare provider organizations are still adjusting to, with many questions surrounding the legal protections granted by the Cybersecurity Act of 2015 (also referred to as the Cybersecurity Information Sharing Act of 2015).

It couldn’t have been a healthcare cybersecurity event without discussion of medical device cybersecurity challenges. The final panelist at the briefing was Karl West, CISO and assistant vice president at Intermountain Healthcare, who discussed the complexity of managing cybersecurity across the vast ecosystem of health systems. Using medical devices as an example, he discussed how health organizations may not always have direct security controls. In light of the WannaCry and Petya attacks that impacted some medical devices, this topic is of particular interest of late to policymakers.

Additionally, we conducted meetings with policymakers on Capitol Hill and in the federal agencies to discuss our cybersecurity challenges in depth. CHIME also hosted a reception in celebration of National Health IT Week that attracted D.C.-area members, health IT industry leaders and other friends of CHIME.

CHIME and AEHIS will continue to highlight cybersecurity in healthcare as an issue that lawmakers and agency officials need to be engaged in and continue to recommend policy solutions to improve patient safety. What are some of the policy challenges in the cybersecurity realm that you’d like our advocacy to focus on?

Did you, or your organization, do anything to celebrate National Health IT Week? What does your organization have planned for Cybersecurity Awareness Month? Email us at [email protected] to let us know.

More Inside CHIME