Efforts to Incentivize Healthcare Sector Cyber InvestmentsErik Decker, CISO of Intermountain Health, on Ways to Bolster Security Posture
Federal legislation signed into law earlier this year amending the HITECH Act could help incentivize many healthcare sector entities to bolster their cybersecurity programs, says Erik Decker, CISO of Intermountain Health and co-chair of a federal advisory task force that helped craft the provision and other potential cyber-related financial incentives.
The provision calls for federal regulators to consider whether a healthcare sector entity has implemented "recognized" security best practices, processes, standards or methodologies - such as those supported by the National Institute of Standards and Technology - before levying a fine or other enforcement action under HIPAA (see: Bill Spells Out New Factors to Weigh in Setting HIPAA Fines).
"The good news is that if you establish that you have adopted those practices over the past 12 months, then the Department of Health and Human Services' Office for Civil Rights is directed through this law to consider that before issuing [enforcement actions] in a case involving a breach."
HHS has not yet issued a proposed rule, which is needed to flesh out details for how the new statute will be implemented.
Other proposals for financial incentives could help improve the overall posture of the healthcare sector, Decker says.
"Given that small-sized organizations are so strapped when it comes to resources, it's very difficult for small and medium-sized organizations to even have dedicated cybersecurity budgets or people," he notes.
One possible incentive is to potentially increase reimbursements to healthcare entities from the HHS Centers for Medicare and Medicaid Services "by a fraction of a percent," to be used by the organizations for their cybersecurity efforts, Decker says.
"If you put that fraction of a percent directly into a cybersecurity budget, we can potentially raise the floor in healthcare on how we can actually defend ourselves. It would really help," he says.
"Medicare/Medicaid is the biggest payer in healthcare … so it's an avenue to try to bring in some extra revenue so that the organization doesn't have to make that critical call on whether we put money into the cyber budget or a diagnostic or therapeutic [purchase]. When you're a small organization, literally every dollar counts."
In the video interview, Decker also discusses:
- Other potential incentives to help the healthcare sector improve its cybersecurity posture;
- Areas within the e sector that need the most help with bolstering cybersecurity;
- His recent testimony about healthcare sector security to the National Committee on Vital and Health Statistics on behalf of the Health Sector Coordinating Council, of which he is member of the executive committee.
Decker is the CISO for Intermountain Healthcare, a multistate integrated delivery network based in Salt Lake City, Utah. He is currently co-leader of an HHS task group of more than 250 industry and government experts across the country for implementing the Cybersecurity Act of 2015, 405D legislation within the healthcare sector. Decker was previously CISO and chief privacy officer at the University of Chicago Medicine.