Download PDF

December 1, 2022

The Honorable Mark Warner

703 Hart Senate Office Building

Washington, DC 20510

Dear Senator Warner:

The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) appreciate the opportunity to comment on your policy options  paper , “Cybersecurity is Patient Safety,” released on November 3rd.

CHIME is an executive organization dedicated to serving chief information officers (CIOs) and other senior healthcare IT leaders in hospitals, health systems and other healthcare settings across the country. Consisting of more than 2,900 members, our members are responsible for the selection and implementation of clinical and business technology systems that are facilitating healthcare transformation. Launched by CHIME in 2014, AEHIS represents more than 950 healthcare security leaders and provides education and networking for senior IT security leaders in healthcare. CHIME and AEHIS members are among the nation’s foremost health IT experts, including on the topics of cybersecurity, privacy and the security of patient and provider data and devices connecting to their networks.

CHIME and AEHIS applaud your leadership and long-standing commitment to highlighting and ameliorating the patient safety and national security risks posed to the healthcare sector by cyberattacks. Our sector is under siege with a war being waged by cyber criminals – often nation-state sponsored – deploying cyber missiles that escalate in gravity with each passing year. Hospitals, health systems, safety-net providers, post-acute and long-term care facilities, behavioral health centers, and clinicians in settings across the continuum of care have been stretched – beyond capacity in many cases – during the pandemic. The time to take action is now as the amount of data being shared in our sector.

Most healthcare settings in the U.S. are not-for-profit and many are small, and resources for them to fend off the multitude of cyberattacks are limited, if not non-existent. While some medium to larger healthcare systems are better resourced, there are still limits to what they can do. Cybersecurity is a shared responsibility. Providers need additional support to defend themselves from the increasingly sophisticated attacks aimed at stealing intellectual property, extorting ransom payments, threatening patient safety by targeting medical devices connected to them, and hindering providers’ ability to deliver care overall.

The healthcare sector is creating a burgeoning amount of data with a compound annual growth rate of 36% between 2018-2025, more than 500,000 medical devices, 350,000 health apps, and the average patient generating 80 megabytes of data per year. This all adds up to an ever-growing landscape ripe for opportunity for cyber criminals.  The time for Congress to act is now.  Our members are committed to working to improve our sector’s posture and reducing these risks; however, as recognized in your paper, we cannot do this alone. Outlined below are our key recommendations which are described in greater detail in the appendix to our letter. 

Key Recommendations

Our key recommendations in response to your policy paper are outlined below.

I. Funding Needs

1. Congress should appropriate more funding to HHS for cybersecurity for ASPR, HC3 and the 405(d) program to support our sector and each area needs a separate line item;

1. A grant program targeted to small, medium and under-resourced providers will help address immediate cybersecurity needs;

1. Congress should fund a “cash for clunkers” program and the funding should be directed to healthcare providers, not to device manufacturers; and

1. A voluntary cyber incentive program is needed to help offset the investments needed by healthcare providers to improve their cyber posture and reduce patient safety and national security risks.

II. 405(d) Program

1. ASPR should remain the SRMA while the 405(d) Program should continue to support our sector’s highly successful, joint public-private partnership in developing best practices and other tools to improve our sector’s cybersecurity posture; drive the Department’s work around improving our sector’s cyber posture with funding to support its excellent work; and

1. HHS should engage in more education efforts, leverage the Centers for Medicare & Medicaid Services (CMS) as an outreach channel to help increase awareness and further educate providers about 405(d) and other free federal resources on cybersecurity.

III. Penalties

1. Policy levers that involve incentives should be prioritized over penalty and punitive structures;

1. Medicare Conditions of Participation (CoPs) should not be used to drive adoption of cybersecurity best practices and should be avoided at all costs;

1. Healthcare providers – especially small and under-resourced ones – should not be forced to continue to shoulder the entire burden of cyber crimes;

1. Congress should modify the penalty structure for healthcare providers under HIPAA who suffer a cyber incident to make it less punitive;

1. Stark and Antikickback policies should be changed to broaden the category of what types of technology is eligible for donation and prohibit donor recipients from taking legal action against their donor in the event of a cyber incident; and

1. Place an increased emphasis on unmasking, charging and prosecuting cybercriminals; and

1. Increase punishments for cybercriminals prosecuted for attacks impacting healthcare as a deterrent.

IV. Incentives

1. Congress should establish a cybersecurity incentive program to the 405(d) Program’s best practices laid out in Health Industry Cybersecurity Practices (HICP);

1. Avoid downside risk (penalties) in order to incent uptake;

1. Recognize and reward best practices adopted outside of the 405(d) Program when a provider meets / exceeds the practices outlined in HCIP;

1. If funding must be limited, it should be prioritized for small, medium, and under-resourced providers, and those who were not eligible for electronic health record (EHR) including post-acute and long-term care providers; and

1. Designate CMS as the federal agency to oversee the cybersecurity incentive program - with cooperation and input from the 405(d) Program and other HHS components.

V. Medical Devices

1. Congress should pass the  PATCH Act (S. 3893)  to give the FDA greater oversight over medical device manufacturers;

1. Congress should reconvene the  2017 Task Force  to develop a plan to prioritize which medical devices should be eligible for a replacement program;

1. The  PATCH Act (S. 3893)  should be passed to give the FDA greater oversight over medical device manufacturers;

1. FDA should be given authority to issue regulations that are legally binding, in addition to their authority to issue non-legally binding guidance documents; and

1. Device manufacturers should be required to: 1. Stop selling devices with software that is no longer being supported or at the end of its lifecycle;

1. Support a device so as it has not been sunsetted;

1. Notify providers when they are no longer supporting a device, when there is a known

1. vulnerability, and when patches are available; and

1. Furnish providers with a software bill of materials (SBOM).

VI. Cyber Insurance

1. The federal government institute a catastrophic cyber insurance program to help healthcare providers offset the extremely high costs and serve as a backstop for those unable to obtain insurance on the open market; and

1. There should be greater oversight of private cyber insurance carriers.

VII. Privacy

1. Direct the FDA and OCR to better align their guidance and enforcement activities to ensure that medical devices manufacturers are meeting their obligations as HIPAA business associates (BAs) and require manufacturers to meet this as a condition of FDA device approval;

1. Congress should pass a national privacy law to better protect consumers’ health and sensitive health information;

1. In the absence of a national privacy law third-party apps that are handling health / sensitive health information should be required to clearly inform consumers how their information is being used;

1. Provide ample and consistent funding to the FTC to assist enforcement of the Health Breach Notification Rule; and

1. Use the information from the  Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries  to inform policies that better protect the sharing of sensitive data – especially health data - without the consumers knowledge and/or consent.

VIII. Workforce

1. A federal workforce development program should be created that focuses on healthcare cybersecurity;

1. Access to free cyber training and assistance should be made available to providers under a Regional Extension Centers (RECs) model; and

1. Student loan forgiveness programs should be available for those serving in cybersecurity positions in healthcare.

Conclusion

CHIME and AEHIS appreciate the opportunity to share with you our perspectives and are strongly encouraged that with your leadership there will be meaningful changes in our sector that will help us improve our collective cyber posture and improve patient safety. Should you have any questions or require follow-up to our recommendations, please do not hesitate to contact our Vice President of Public Policy, Mari Savickis, at [email protected] .

Sincerely,

Russell P. Branzell, CHCIO, LCHIME

President and CEO

CHIME