Would Tying Provider Payments to Cybersecurity Standards Strengthen Healthcare Security?
Last month, Health and Human Services Department (HHS) Deputy Secretary Andrea Palm stated that HHS is considering linking minimum cybersecurity requirements to payments to healthcare providers under federal programs such as Medicare.[1] This is potentially the latest effort by the Biden Administration to address the need to improve cybersecurity and better protect individuals’ information through governmental agencies. The healthcare industry is of particular concern as it is a frequent target for threat actors due to healthcare companies’ large repositories of sensitive personal health information.[2]
Previous examples of using regulatory agencies to strengthen cybersecurity include:
- HHS and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released a cybersecurity toolkit in October to encourage safe cyber practices for healthcare companies of all sizes.[3]
- In July, the Securities and Exchange Commission (SEC) announced new Cybersecurity Reporting Rules that will become effective on December 15, 2023. These rules will require all U.S.-listed companies to disclose data breaches within four business days and describe the material impact of the breach on the business’ financial health.[4]
- In May, the Federal Trade Commission (FTC) sought comment on amendments to the Health Breach Notification Rule (HBNR). If enacted, these amendments would require non-covered entities of the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals and the FTC if their company experiences a data breach.[5]
Could This Latest HHS Proposal Be Successful?
Linking federal payments to minimum cybersecurity requirements could be an effective approach for the healthcare sector because the U.S. government – through the Centers for Medicare & Medicaid Services (CMS) which administers the Medicare program – is the largest payer in the country.[6]
Just consider the following three numbers:
- $11 million – How much an average data breach costs a healthcare organization.[7] Cybersecurity incidents are expensive. The financial, operational, and reputational impacts can be damaging, emphasizing the importance of data privacy preparedness.
- $88 million – The number of individuals whose records have been exposed or stolen due to a cybersecurity attack just in 2023 alone.[8] Cybersecurity incidents don’t only affect companies—patients and their data are impacted too.
- $747 billion – How much money Medicare spent in 2022 and could be on the line for providers if tied to minimum cybersecurity requirements.[9] As the largest payer for healthcare services in the U.S.,[10] CMS has extraordinary leverage over provider organizations who participate in the Medicare program.
What Does ‘Minimum Standards’ Mean?
Should this idea be formally proposed, HHS would need to provide greater detail on what “minimum cybersecurity standards” entail, as well as when these requirements would go into effect, and what entities would be required to adhere to them. A period for notice and comment would likely allow stakeholders the opportunity to engage government officials on these particulars.
Q4 2023 Healthcare Quarter in Review
Yet, in light of these recent comments and the push toward greater transparency, reporting, and regulation – not to mention the ongoing threat posed by sophisticated threat actors – healthcare organizations should take a proactive rather than a reactive approach to data privacy and protections.
A few actionable steps to consider when formulating a proactive approach include:
- Creating a comprehensive data privacy story and philosophy for how to communicate to relevant stakeholders;
- Designing a comprehensive data privacy and crisis response plan to effectively communicate strategy and stay ahead of the ever-evolving threat environment;
- Creating a data privacy-specific public affairs campaign to achieve policy and communications goals.
Contact the authors to discuss how to incorporate the above recommendations into your current operations.
[1] Ben Leonard, “HHS Weighs Health Cybersecurity Regulations Tied to Payment,” POLITICO (October 25, 2023), https://subscriber.politicopro.com/article/2023/10/hhs-weighs-health-cybersecurity-regulations-tied-to-payment-00123488?source=email.
[2] Shawn Dickerson, “Why is healthcare a top target for cybersecurity threats?” Security (September 13, 2022), https://www.securitymagazine.com/articles/98324-why-is-healthcare-a-top-target-for-cybersecurity-threats.
[3] “Healthcare and Public Health Cybersecurity,” Cybersecurity & Infrastructure Security Agency (November 16, 2023), https://www.cisa.gov/topics/cybersecurity-best-practices/healthcare.
[4] Todd Ehret, “Companies Should Prepare to Comply with New SEC Cybersecurity Rules,” Thomson Reuters (October 2, 2023), https://www.thomsonreuters.com/en-us/posts/government/sec-cybersecurity-rules/.
[5] Julia Gruenwald Henderson, “FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule,” Federal Trade Commission (May 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-rule.
[6] “Medicare Payment,” CMS.gov (Last modified September 6, 2023), https://www.cms.gov/cms-guide-medical-technology-companies-and-other-interested-parties/payment#:~:text=Medicare%20is%20the%20single%20largest,services%20in%20the%20United%20States.
[7] “Average cost of a data breach worldwide from May 2020 to March 2023, by industry,” Statista (November, 16, 2023), https://www.statista.com/statistics/387861/cost-data-breach-by-industry/.
[8] “HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation,” U.S. Department of Health and Human Services (October 31, 2023), https://www.hhs.gov/about/news/2023/10/31/hhs-office-civil-rights-settles-ransomware-cyber-attack-investigation.html.
[9] “Budget Basics: Medicare,” Peter G. Peterson Foundation (April 18, 2023), https://www.pgpf.org/budget-basics/medicare#:~:text=Key%20Facts,percent%20of%20total%20federal%20spending.
[10] “CMS Roadmaps Overview,” Centers for Medicare & Medicaid Services (November 16, 2023), https://www.cms.gov/medicare/quality-initiatives-patient-assessment-instruments/qualityinitiativesgeninfo/downloads/roadmapoverview_oea_1-16.pdf.
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2023 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com
