Only What Matters on Health Information Policy
2. Bass, Berry & Sims is hosting a webinar on October 24 about health care data breaches.
One Thoughtful Paragraph
Maverick Health Policy is hearing more and more about cybersecurity issues. We know that health care CIOs consider cybersecurity their #1 problem, because health care information is one of the biggest targets of cyberattacks. There are suggestions that we need a “corporate data champion” or a health data code of conduct, like this one from the CARIN Alliance. There are multiple recommendations for how health care companies should handle cybersecurity risks, including these from the federal government: ONC Top Ten Tips, OCR’s HIPAA Security Rule Crosswalk to Commerce’s NIST Cybersecurity Framework, FDA Guidance on Medical Device Cybersecurity, the Congressionally-mandated 2017 Health Care Cybersecurity Task Force Report, the follow-up report in 2018 and a suggestion that the FTC should beef up in this area, and the FTC agrees. Our conclusion, so far, is that no health care data are safe from a cybersecurity threat. This strikingly complex problem deserves a dramatic diversion of financial and human resources to address it. Thus far, there is a lack of education, economic incentives, and regulatory mandates to create the necessary shift in attention and culture. This is particularly scary because we are about to embark on a journey that will “allow complete access, exchange and use of all electronically accessible health information on a national scale.” Yikes.