CHIME, AEHIS: CMS Should Develop Cybersecurity Incentive Program

Nov. 10, 2023
Letter to Office of the National Cyber Director says HHS should engage in more education efforts and leverage CMS as an outreach channel to help increase exposure and further educate providers

In an Oct. 31 letter to the Office of the National Cyber Director, the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) called for greater coordination among Department of Health & Human Services agencies and recommended that the Centers for Medicare & Medicaid Services (CMS) develop a cybersecurity incentive program. 

CHIME and AEHIS were responding to a request for information on “opportunities for and obstacles to harmonizing cybersecurity regulations.”

Launched by CHIME in 2014, AEHIS represents more than 950 healthcare security leaders and provides education and networking for senior IT security leaders in healthcare.

Setting the stage for recommendations, the letter notes that the Healthcare and Public Health (HPH) Sector has the unfortunate distinction of being the sector with the most data breaches according to numerous studies. “Healthcare data and information remain lucrative targets for theft and exploitation, particularly through ransomware attacks,” they wrote. “Theft of data skyrocketed during the past few years as criminal groups and adversarial nation states capitalized on the COVID-19 pandemic by using social engineering, the very same techniques that have been successfully used against large, publicly traded companies with far greater resources than the majority of America’s healthcare delivery organizations (HDOs). Health data breaches reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) dramatically increased in 2023, on pace to double last year’s total, according to a Politico analysis of the latest agency data.”

CHIME and AEHIS also point out the dire financial situation some provider organizations are facing. “Many are being forced to reduce their budget below benchmarks, and cybersecurity projects will likely end up not surviving these cuts,” the letter states. “While the number of patients that our hospitals and healthcare systems care for has remained steady, if not increased, they are now experiencing grievous financial circumstances. Without a solution, assistance, and changes in policy on the federal level – we fear and believe that there are many more HDOs that are at risk of closure across the nation.”

Responding to questions about how cybersecurity is coordinated and regulated, the letter noted that there are multiple areas of HHS that are responsible for cybersecurity – including interfacing with the private sector. “This has created fragmentation and coordination challenges both within HHS as well as outside of the Department.” 

The letter recommends that HHS should engage in more education efforts, leverage CMS as an outreach channel to help increase exposure, and further educate providers – especially the small, rural, and under-resourced – with information about: 1) The 405(d) Program’s best practices; 2) The tools that are already available at no cost from the federal government including those from CISA on risk assessment  and their cybersecurity hub; and 3) NIST’s resources for small businesses and their National Cybersecurity Center of Excellence (NCCoE). 

CHIME and AEHIS point out that nearly all providers bill Medicare and that CMS has a long history of operating the EHR Promoting Interoperability (PI) Program (formerly referred to as the Meaningful Use Program). “Therefore, we believe CMS is uniquely suited to help oversee a new cybersecurity incentive program. However, unlike the EHR PI Program, which began as an incentive program and graduated to a penalty structure, we believe the cybersecurity needs in our sector are so dire and our sector’s financial needs and workforce significantly depleted from fighting the COVID-19 pandemic, that there should be no downside risk to participation.”

Calling themselves strong supporters of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), CHIME and AEHIS say they understand that NIST is attempting to thread the needle in so far as the CSF has been developed as a tool to be used by a variety of organizations, across different sectors with different needs.

“While we appreciate the balance NIST aims to strike, we believe smaller, rural and under-resourced healthcare organizations will need more prescriptive steps that they can take if we are to enable them to improve their cybersecurity posture,” they wrote.

“For example, across the continuum of healthcare, one segment that continues to present a substantial amount of risk for our members are smaller physician practices. They have a high need for education and resources given their cybersecurity posture remains immature. Again, we are not suggesting so much that NIST modify the CSF to accommodate different sectors and to be clear, that could create an additional set of problems. An ideal starting point for cybersecurity resource-challenged organizations is to educate them; for example, directing them to the 405(d) Program’s HICP tool, which could also be one way measurement could occur in our sector, and can assist in addressing some of these challenges. Finally, we believe the focus must shift away from the mindset of how one healthcare provider stacks up against another provider – and focus more on the individual provider’s own maturity journey.”