Washington Debrief: Large-Scale Hack Raises Questions about Healthcare Cybersecurity

Chinese Hackers Steal 4.5M Patient Records – Questions Arise About Healthcare Cybersecurity Efforts

Key Takeaway: Last week, Community Health Systems (CHS) had 4.5 million patient records stolen by a Chinese hacker group that possibly exploited the Heartbleed vulnerability. This event points to the greater issue of cybersecurity and healthcare. Are healthcare systems and providers prepared to deal with sophisticated cyber attacks?

Why It Matters: According to reports, CHS had unsophisticated systems in place that were not prepared to prevent this attack. The announcement caused outrage across Washington and brings a whole new level of scrutiny to the healthcare industry, as efforts to modernize the healthcare industry continue via the Health Information Technology for Economic and Clinical Health (HITECH) Act and provisions in the Affordable Care Act (ACA).

While it has not been confirmed whether the Heartbleed vulnerability is to blame, one security firm – TrustedSec – is contending that the hackers used Heartbleed to gain access to patient information. The vulnerability, announced in April, received a lot of attention because the open source software that encrypts data and provided access for the vulnerability had been used in many websites. Internet users everywhere were encouraged to change their passwords after sites patched the vulnerability to prevent access to their information.

On top of this announcement, Federal Agencies and Congress have also started to discuss the topic. Last week, the FBI spoke out about healthcare data security by sending a warning that healthcare systems are likely to be targeted by hackers. Read more about the announcement here (http://www.ihealthbeat.org/articles/2014/8/21/hackers-directly-targeting-health-care-organizations-fbi-warns). Meanwhile, Sen. Tom Carper (D-DE) wants to see more legal protections in place to respond to such cyber attacks because they affect not only people’s privacy, but cyber attacks also have greater implications for the national economy as well.

In Alabama, five former patients of CHS filed the first class action lawsuit against the company over the breach on behalf of any current and former patients. The lawsuit charges the Tennessee-based hospital chain with breach of contract, negligence, infringement of the Fair Credit Reporting Act and violation of privacy. The largest HIPAA settlement to-date was $4.8 million for New York and Presbyterian Hospital (NYP) and Columbia University (CU) for disclosure of 6,800 records. In this instance, a physician creating new applications caused patient information to be searchable on the internet. Both organizations agreed to take corrective actions after the discovery of the breach.

For those who are interested in learning more about what colleagues are doing to prevent cyber attacks, and discuss the challenges and latest trends in cyber security, please join CHIME for one of our upcoming regional LEAD Forums:

• New York, NY – September 15, 2014. Register here (http://www.cio-chime.org/events/forum/lead/index.asp?).
• Washington, DC – October 6, 2014. Save the Date!
• Houston, TX – December 9. Save the Date!

Congress Responds to CHS Breach

Key Takeaway: In response to the breach of 4.5 million patient records at Community Health Services (CHS), a bipartisan, bicameral group of federal lawmakers have expressed the need for a renewed focus on cybersecurity.

Why It Matters: Members of Congress have joined the outcry following last week’s breach of 4.5 million patient records at CHS, which operates 206 hospitals across 29 states. The CHS breach, on the heels of the health.gov security concerns, has garnered attention from members of both the House and Senate.

Lawmakers have questioned the preparedness of entities to protect patient data and the need for additional regulatory action. Cybersecurity has consistently been a bipartisan issue in Congress.

Senate Homeland Security and Government Affairs Committee Chairman, Tom Carper (D-DE) called on Congress to work with the Administration and stakeholders to reform existing laws. He emphasized the need to comprehensively address serious cyber challenges to protect the nation’s critical infrastructure.

As the ranking member of the Senate Health, Education, Labor and Pensions (HELP) Committee, Lamar Alexander (R-TN) echoed Senator Carper’s concern. Senator Alexander expressed interested in convening healthcare companies and technology experts to see whether more federal assistance is necessary to prevent such attacks. In the House, Vice Chairwoman of the House Energy & Commerce Committee Marsha Blackburn (R-TN) viewed the breach as a demonstration that security of personal health information must be a top priority for the federal government.

More Testing, Renewed Focus on C-CDA to be Part of ONC Interoperability Strategy

Key Takeaway: During the August meeting of the Health IT Standards Committee, officials from the Office of the National Coordinator for Health IT (ONC) signaled their intent to improve testing tools for electronic health records (EHRs) as part of a plan to attain broad interoperability. Committee members also discussed the notion of revisiting ways to improve or replace C-CDAs.

Why it Matters: With this pronouncement, federal officials have indicated that they will rethink the processes and protocols associated with EHR testing. This is based on feedback that health IT executives gave to federal officials in the recent FDASIA Health IT Report. Members of CHIME and AMDIS called for more testing of EHRs to qualify for ONC’s certification program as a way to both improve interoperability and patient safety in health IT.

For months, health IT stakeholders have been quietly questioning the robustness of certification testing and the readiness of healthcare’s primary clinical document standard, the Consolidated CDA, or C-CDA. Last week, these questions were aired during the August Health IT Standards Committee, at which federal advisors discussed the need for better EHR testing to bolster interoperability and a renewed focus on how to improve the C-CDA. Members of the Implementation Workgroup discussed some challenges at a meeting last month, saying certified EHRs producing CDAs can have coding errors and variations, making it difficult for providers to exchange patient data using the templates. Workgroup chair Liz Johnson said an “in-depth review of C-CDA challenges for improvement or potential replacement” is needed to improve the interoperability of C-CDAs.

In response, Steve Posnack, director of the ONC's Office of Standards and Technology, said the Office is open to working with more private sector groups to improve its C-CDA testing methods.

Edited for style by Gabriel Perna