UK Beefs Up Hospital Cybersecurity FundingBut Will U.S. Inadvertently Trim Potential Security Investments?
In the wake of the global Wannacry ransomware attacks that hit hospitals in the United Kingdom especially hard, government officials there recently said they're boosting cybersecurity funding to over £50 million ($65 million) - to improve cybersecurity at hospitals, especially those that serve as trauma centers.
But in the U.S., some wonder whether potential moves by the Department of Health and Human Services to recover "inappropriate" HITECH Act electronic health record incentive payments made to some healthcare professionals could have the opposite result: weakening their cybersecurity efforts.
Trying to recoup money now from resource-strapped healthcare professionals who received HITECH funds could have a big negative impact on security.
In a July 12 statement, the United Kingdom's Department of Health said its "investment in data and cybersecurity will be boosted above £50 million - and include a new £21 million ($27.4 million) capital fund for major trauma centers - as part of its response to reviews and consultation feedback on these issues."
In the statement, U.K. health minister, Lord O'Shaughnessy, noted the National Health System "has a long history of safeguarding confidential data, but with the growing threat of cyberattacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS. Only by leading cultural change and backing organizations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat."
Certainly, efforts are also underway in the U.S. to help improve healthcare sector cybersecurity, including plans by the Department of Health and Human Services to open a new cyber information sharing center (see HHS Cyber Information Sharing Center: Is it Needed?).
But while the U.K. is beefing up funding for hospital cybersecurity, in the U.S., some members of Congress are pushing for moves that could have the unintended consequence of sapping security investment by some healthcare providers.
In a recent letter to HHS' Centers for Medicare and Medicaid Services, two GOP senate leaders are urging federal regulators to claw-back HITECH Act electronic health record incentive money - potentially totaling more than $700 million - that some healthcare providers may have received "inappropriately" due to factors including their inability to provide proof that they successfully met all meaningful use program requirements, based on a small sample of healthcare professionals studied by HHS (see What Happens if Some HITECH Payments Must Be Returned?).
Those requirements include conducting a security risk assessment of EHR systems - and some of the healthcare professionals who received HITECH money could not subsequently provide proof to HHS that they actually conducted the risk analysis.
While accountability and oversight of the meaningful use program is important - especially considering that more than $35 billion has been paid out so far to U.S. healthcare providers participating in the program - some experts contend that trying to recoup money now from resource-strapped healthcare professionals who received the funds could have a big negative impact on security.
In a statement, Anders Gilberg, senior vice president of government affairs at the Medical Group Management Association, which represents managers at thousands of physician practices in the U.S., tells me that while the group "does not condone willful fraud in any federal programs ... it could be financially devastating" for healthcare practices if each eligible professional who received the maximum $44,000 incentive payment was forced to pay back the money to CMS. For a 10-physician group, a $440,000 hit is a big deal, indeed.
Mary Chaput, CFO and compliance officer at cybersecurity consulting firm Clearwater Compliance, says attempts to recoup HITECH incentive payments already made to healthcare entities won't be good for cybersecurity.
"As money is already tight as it relates to HIPAA compliance and information security, [returning HITECH payments] will definitely affect it," she says.
Chaput says Congress should instead consider ways to help ensure healthcare entities conduct effective risk analyses, which too many organizations have yet to do, based on findings of federal health data breach investigations, she adds.
"Rather than take money away from organizations that are still struggling with this really fundamental risk management [practice], give them the tools they need to understand what they need to do, and to do it right," she says.
Lessons to Learn
Meanwhile, back in the U.K., the government's statement notes that to mitigate "the immediate risks with cybersecurity," its NHS Digital - which provides national information, data and IT systems for U.K. healthcare services - is supporting local organizations by broadcasting alerts about cyber threats, providing a hotline for dealing with incidents, sharing best practices and carrying out on-site assessments.
In addition, the statement notes: "Work is underway in parallel to determine the fastest and most cost-effective way to support the NHS to move from unsupported operating systems, including Windows XP." Experts say medical devices and other systems running legacy XP were among those hit hardest by WannaCry.
So, what can the U.K. learn from the U.S. - and what can the U.S. learn from the U.K. - that might benefit the cybersecurity of healthcare organizations in both nations? Let us know what you think in the comment space below.