The Working Group on Electronic Data Interchange (WEDI) says the Department of Health and Human Services (HHS) should create an Office of National Cybersecurity Policy led by a “cyber policy czar.”
In the wake of the high-profile Change Healthcare and Ascension cyberattacks, WEDI sent a letter to HHS Secretary Xavier Becerra identifying issues and recommendations aimed at mitigating the potential consequences of a cyberattack on healthcare operations and patient security. patients.
“The recent cyberattacks, while unprecedented, are just the latest example of what has unfortunately become all too common in the healthcare industry,” Charles Stellar, president and CEO of WEDI, said in a statement. “When administrative transactions such as medication prescriptions, claims, and treatment authorizations cannot be completed, provider operations and even patient care can be affected.”
WEDI members identified several actions the federal government could take to minimize the negative impact a cyberattack can have on the healthcare system. WEDI’s recommendations to HHS included:
• The recommended Office of National Cybersecurity Policy (ONCP) would not replace any existing agency or usurp the jurisdiction or function of any other agency, but would instead drive a centralized cyber incident reporting process, coordinate harmonization efforts among federal agencies, stakeholder education (with a focus on under-resourced organizations), would direct funding for preparedness, develop and implement national contingency plans, and serve as the focal agency for industry recovery following a major cyber incident.
• Conduct select audits and educate the industry. HHS, through its Office on Civil Rights (OCR), must conduct select proactive and comprehensive audits of the health sector. Through these selected audits, OCR can identify best practices that will provide targeted guidance to address compliance challenges and be leveraged in an educational campaign to better prepare covered entities to address cyber threats.
• Establish a Voluntary Security Audit Program. OCR should be directed to establish a program that allows covered entities to voluntarily submit to a security audit. Those who submit their policies and procedures for voluntary review should not be subject to coercive measures should any deficiencies be identified during the audit. Rather, the organization should be given enough time to correct any problems.
• Accredit Accreditation Programs. HHS should consider developing minimum standards for third-party accreditation/certification entities. A minimum set of security, privacy and cybersecurity standards could be required to ensure that an accredited or certified organization is in the best position to prevent a cyberattack or mitigate its effects.
• Implement Administrative Actions. HHS should take advantage of its actions following the recent cyberattack on a major clearinghouse. In the event of a major cyber incident, HHS must implement and be ready to implement actions to immediately assist data sharing processes between providers and health plans. These actions could include:
• Accelerate the registration of new electronic data interchanges (EDI).
• Accept paper claims.
• Relax or eliminate certain prior authorization requirements.
• Provide advance financing.
• Delay or waive data submission requirements.
• Issue communication guides for business partners after the attack.
• Explore opportunities to increase cybersecurity funding.
WEDI also suggests that HHS designate one week as “National Healthcare Cyber Fire Drill Week.” This would be a designated period in which the federal government would lead the healthcare industry in promoting cyber awareness and action.