Washington Debrief: Lawmakers Explore Cyber Risks of Connected Devices, IoT in Hearing

Nov. 21, 2016
The House Committee on Energy and Commerce held a joint hearing last week to examine the role of connected devices, including medical devices, and their role in recent cyber attacks.

Key Takeaway: The House Committee on Energy and Commerce held a joint hearing last week to examine the role of connected devices, including medical devices, and their role in recent cyber attacks.

Why It Matters: The internet of things (IoT) and the growth of connected devices has exposed additional security vulnerabilities, presenting new avenues for bad actors to exploit, including in healthcare. Among the many devices that could be coopted by threat actors are medical devices, both in the traditional sense and those that blur the lines between consumer devices with the potential to inform clinical decision making.

CHIME and AEHIS submitted a statement that was included in the hearing record that outlined the role medical devices could play in a distributed denial of service attack (ddos) and possible actions for Congress to take to enhance security of medical devices in coordination with the Food and Drug Administration (FDA). Among the recommendations included ensuring the FDA has proper resources to manage vulnerability disclosures and to evaluate security during the device approval process.

Members of the Subcommittees on Communications and Technology and Commerce, Manufacturing and Trade explored the range of security issues facing the healthcare industry, including roles and responsibilities for medical device manufacturers and healthcare providers. Members and witnesses discussed what incentives may need to be inserted into the marketplace to ensure that security is intrinsically designed into the product rather than added as an afterthought.

Congressional Outlook for the Remainder of 2016 – 21st Century Cures, Government Funding

Key Takeaway: As the final days of the 114th Congress come to a close a few healthcare bills may still stand a chance.

Why It Matters: Congress is set to adjourn for the year on December 16, leaving limited time to consider legislation. Among the top legislative candidates for consideration that includes health IT provisions is the 21st Century Cures Act, which will be reconciled with the work of the Senate Health, Education, Labor and Pensions Committee’s Innovation Initiative.

 The House passed a comprehensive bill, the 21st Century Cures Act (HR 6) in an overwhelmingly bipartisan fashion in July 2015, which included provisions on interoperability, information blocking and telehealth. The Senate HELP Committee instead approved a number of individual bills, including the Improving Health Information Technology Act (S.2511) which also addressed a number of health IT issues. CHIME staff has compared the health IT provisions of the two existing bills here.

Another bill that CHIME would like to be considered is the EHR Regulatory Relief Act (S.3173). This legislation sponsored by Senator John Thune (R-SD) and the group of republican senators known as the “REBOOT” group, would instate 90-day reporting periods for the Meaningful Use program perpetually as well as adjust the troublesome all-or-nothing structure of the EHR Incentive Program for all providers beginning in the 2016 program year and for eligible hospitals thereafter when Medicare clinicians move to the Quality Payment Program (QPP) established by the Medicare Access and CHIP Reauthorization Act. CHIME has endorsed this legislation and if you’d like to tell you Congressional delegation to support this legislation, you can do so here.  

The current government funding package expires on December 6, therefore Congress must also pass either short-term continuing resolution (CR) or a series of appropriations bills to fund the government through FY17. Most recent discussions suggest that a short-term package will fund the federal government through March of 2017 to allow the new Administration and new Congress to influence the funding package based on their policy priorities.

Health IT Money

Key Takeaway: AHRQ Funding Opportunity

Why it Matters: AHRQ intends to publish a Funding Opportunity Announcement to conduct research that demonstrates how health information technology (IT) can improve patient-centered health outcomes and quality of care in primary care and other ambulatory settings through the scale and spread of successful, health IT-enabled practice models that use patient-reported outcome (PRO) measures to achieve these objectives. More information can be found here.

New NIST Cyber Resource

Key Takeaway: NIST has published a groundbreaking new security guideline on systems security engineering.

Why it Matters: The new NIST guideline addresses the longstanding problem of how to engineer trustworthy, secure systems—systems that can provide continuity of capabilities, functions, services, and operations during a wide range of disruptions, threats, and other hazards. The publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems.

OCR November Newsletter

Key Takeaway: OCR focuses on best practices to prevent breaches.

Why it Matters: OCR’s November 2016 Cyber Awareness Newsletter shines the spotlight on best practices to prevent breaches due to weak authentication. Authentication is a process used to verify whether someone or something is who or what it purports to be in the electronic context, while keeping unauthorized people or programs from gaining access to information. In the healthcare sector, healthcare entities usually use login passwords or passphrases to access information on public or private networks, internet portals, computers, medical devices, servers, and software applications. OCR suggests that healthcare entities take a second look at their safeguards to decrease the possibility of being exposed to potential threats, and how to reduce breaches of electronic protected health information. Read OCR’s full article.

Malcom Baldridge Quality Award

Key Takeaway: NIST Now Accepting Applications for the Malcom Baldridge Quality Award

Why it Matters:  High-performing U.S. businesses, nonprofits, health care, and education organizations should consider applying next year for the nation’s most prestigious and only Presidential award for organizational excellence: the Malcolm Baldrige National Quality Award. 2017 Baldrige Award application forms and guidance are now available online to help organizations learn how to apply and begin preparing to submit a complete application by the deadline of May 2, 2017 (and eligibility package due date of February 21, 2017).

CMS Quality Webinar

Key Takeaway: QR-EHR Incentive Program Alignment Outreach and Education Webinar on common errors for quality reporting data architecture (QRDA) Category I test & production files.

Why it Matters:  This Outreach and Education webinar for participants in the Hospital Inpatient Quality Reporting (IQR) Program is scheduled for Wednesday, November 30, 2016. This presentation will provide an overview of several topics related to the mandatory electronic Clinical Quality Measure (eCQM) submission process for the Hospital IQR and Medicare EHR Incentive Programs for Calendar Year 2016. The topics include the top-ten eCQM QRDA test and production file submission errors, tips to troubleshoot the errors, and a review of tools and reference materials to assist facilities to successfully submit files. You may register for the webinar here.