The Push to Allow Cybersecurity Technology DonationsAdvisory Council Seeks Changes in Law to Help Smaller Healthcare Providers Improve Security
Under federal law, smaller healthcare provider organizations can accept certain donations of e-prescription and electronic health records technology and services from hospitals. But they can't accept similar donations of cybersecurity technologies. An advisory council is again urging the Department of Health and Human Services to eliminate that prohibition.
The Healthcare Sector Coordinating Council is appealing to HHS to modify federal anti-kickback regulations to allow certain resource-strapped healthcare providers to accept the donation of cybersecurity technology and services.
Greg Garcia, executive director of the Joint Cybersecurity Working Group of HCSS, tells Information Security Media Group that the healthcare sector is becoming more aware of cybersecurity threats.
"Appropriately, the government is thinking proactively about how its 20th century healthcare regulatory regime may be impeding the private sector's ability to strengthen security and resiliency in a 21st century threat environment," Garcia says. He'll be a keynote speaker at the ISMG Healthcare Security Summit, to be held Nov. 13-14 in New York.
The HSCC is a private sector-led advisory council of healthcare industry stakeholders working with HHS to identify and mitigate threats and vulnerabilities affecting the ability to deliver healthcare services.
"The agency seems to be on a course that recognizes cybersecurity is a patient safety imperative."
In comments submitted to HHS Office of Inspector General, the HSCC asks regulators to consider loosening up the so-called "Stark law" anti-kickback regulations so that smaller healthcare entities, and those with fewer resources, can legally accept certain donations of cybersecurity technology and services from others, such as hospitals and integrated delivery systems.
The comments are in response to a request for information issued by HHS OIG in August seeking input on regulatory provisions - including anti-kickback statutes - that may act as barriers to coordinated care or value-based care.
Back in August, the HSCC submitted similar comments to HHS' Centers for Medicare and Medicaid Services in response to CMS issuing an RFI seeking input on how to address any undue regulatory impact and burden of the physician self-referral law.
The Stark law, enacted in 1989, is designed to remove financial incentives for referring patients for healthcare services.
"Creating a waiver under the anti-kickback rules that allows for the donation of cybersecurity technology - both hardware and software - training, and tools to providers - for example, under-resourced or less sophisticated ones - will improve the overall cybersecurity posture of our industry and will help guard against cyberattacks that threaten patient safety," HSCC writes in its comments to OIG.
Garcia tells ISMG: "In these RFIs, HHS appears to be acknowledging that cybersecurity for our interconnected health system is a shared responsibility. So to the extent that larger and better resourced stakeholders can help smaller health providers with less expertise reduce their cyber risk, thereby reducing risk across the ecosystem, then that kind of assistance should be encouraged, not penalized as the Stark law would require. With appropriate, updated Stark safeguards in place that prevent legitimate risk of illegal kick-back, such a cyber exception should be in the no-brainer category."
In its comments to OIG, HSCC notes that it isn't the first group to make the recommendation.
A report issued last year by Cybersecurity Industry Task Force - which was mandated by the Cybersecurity Information Sharing Act of 2015 - also proposed that regulators consider an exception to the Stark law and a safe harbor to the anti-kickback statue to- allow certain donations of cybersecurity technology and services. That recommendation was one of more than 100 suggestions from the task force about ways to improve healthcare sector cybersecurity.
The task force is urging regulators to allow certain cybersecurity donations and subsidies, similar to exceptions that were made in 2006 - and have been extended to 2021 - to allow certain donations of electronic health records and e-prescription technology and services by hospitals to smaller healthcare practices.
Meanwhile, in its recent comments to OIG, the HSCC writes: "In particular, smaller and lesser-resourced providers need help enhancing their cyber posture. ... It would benefit the entire healthcare industry to support the provision of cybersecurity resources outside of large health systems. Doing so would help to protect a community's larger systems, as well as the affiliated small and medium-sized practices."
Support for Proposal
Some security experts contend that the recommendations to extend Stark law anti-kickback exceptions to promote better cybersecurity adoption makes sense.
"It's a good idea because physicians in private practice face mounting costs on a variety of fronts and rate pressure from payers," says regulatory attorney Robert Homchick of the law firm David Wright Tremaine.
In the current environment, many physicians are unwilling or unable to invest in cybersecurity technology and services, he notes. "That leaves patients vulnerable to cyberattacks. By permitting the donation of cybersecurity technology and services, the government would be promoting sound public policy to increase data security and deter fraudsters."
Homchick believes that HHS may be open to considering the expansion of the Stark electronic medical record donation exception. "The critical question is whether the agency believes it has the authority to do so given the current language of the Stark law."
Privacy attorney Kirk Nahra of the law firm Wiley Rein offers a similar assessment.
"The Stark law has been enormously controversial from the beginning, and there are ongoing efforts to make it more appropriate in today's health care environment," Nahra notes.
"With today's challenges related to cybersecurity, it would make sense to permit assistance for healthcare facilities in connection with beefing up their cybersecurity capabilities. Better cybersecurity protects both the healthcare system and patients, so it is a win-win without meaningful fraud issues. In the unlikely event of any actual healthcare fraud issues - which is what Stark generally is designed to prevent - the government has plenty of other anti-fraud tools with which to pursue problematic activity."
Logical Next Step?
Attorney Rebecca Williams, chair of the health information practice at the law firm Davis Wright Tremaine, claims that expanding the Stark law exception and anti-kickback safe harbor to permit donation of cybersecurity technology and services would be extremely helpful in securing sensitive health information.
"Since hospitals and other donors already are permitted to subsidize the implementation of electronic health records for physicians, it seems that permitting those donors to help protect those EHRs is a logical next step," says Williams, who has developed electronic health record provisioning or donation arrangements between hospitals and physicians.
So what's the likelihood that HHS OIG will tackle the suggested changes?
"The agency seems to be on a course that recognizes cybersecurity is a patient safety imperative and that penalizing the victims of cyberattacks is counterproductive to critical infrastructure protection," Garcia says.