On March 27, the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology released its federal strategic plan for health information technology for the next five years for comment through May 28. This plan outlines the federal government's goals and strategies to support access, exchange, and use of electronic health information. Federal agencies will use the final plan to prioritize and coordinate efforts and inform the private sector of their priorities. According to ONC, the draft plan is consistent with his HHS's previous concept paper and voluntary cybersecurity performance goals.
“The AHA is implementing a voluntary initiative based on cyber resiliency best practices and strategies identified by cybersecurity industry experts and a public-private partnership between federal agencies and several healthcare sector representatives, including the AHA. “We appreciate the inclusion of comprehensive cybersecurity performance goals,” said John Riggi, AHA's National Advisor on Cybersecurity and Risk.
“However, HHS continues to promote a misguided concept paper that calls for mandatory cybersecurity requirements only for hospitals. This will not improve the cybersecurity posture of the healthcare sector as a whole. Repeated references to this concept paper demonstrate the logical flaws in emphasizing hospitals as the primary source of cyber risk in healthcare. To make progress, the federal government must be willing to take a strategic, holistic approach to this national security threat, rather than just focusing on one aspect of the health care sector: hospitals. The defensive strategy imposed on the healthcare sector must also be accompanied by an equally aggressive offensive cyber strategy by governments to counter the real source of cyber risk: foreign bad actors.
“As the painful experience of the Change Healthcare crisis has reminded us, hospitals and patients are more likely to be victims or collateral damage of cyber-attacks and are the primary cyber risk exposure facing the healthcare sector. Not the cause. This well-documented risk stems from vulnerabilities in third-party technology and service providers, not in the hospital's core systems.
“The AHA cannot support proposals to impose mandatory cybersecurity requirements on hospitals as if the hospitals were responsible for hackers committing crimes. “Reducing hospital payments would reduce hospital resources needed to fight cybercrime and be counterproductive to our common goal of preventing cyberattacks.”
