Healthcare , HIPAA/HITECH , Industry Specific

Could New Cyber Regs Be in the Future for Clinicians?

Medicare 2025 Pay Rule for Physicians Hints of Possible New Cyber Expectations
Could New Cyber Regs Be in the Future for Clinicians?
Image: Getty Images

Federal regulators are again signaling that stronger cybersecurity practices could be tied to financial incentives for doctor offices that participate in Medicare.

See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience

The Centers for Medicare and Medicaid Services in a short paragraph buried in a nearly 3,100-page 2025 fee schedule and payment policy rule issued on Friday said regulators are considering promoting cybersecurity best practices in the future for clinicians that are eligible to participate in the CMS Merit-based Incentive Payment System.

MIPS is a program that connects Medicare payments to a physician's performance. One component is the Promoting Interoperability programs, or the PI, a rebranding of the HITECH Act's financial incentive program for the "meaningful use" of electronic health records. The PI program focuses on bolstering patient access to health information and the electronic exchange of information.

Security is not a totally brand new concept to the PI program. For at least the last four years, the PI program has included a requirement for MIPS participants to annually complete and attest to conducting a security risk analysis.

But additional security best practices could potentially become part of the program's mix of requirements for clinicians who participate in the MIPS program, based on what CMS said in its 2025 payment policy rule.

"We wish to alert readers of additional HHS resources and activities regarding cybersecurity best practices as recently summarized in an HHS strategy document that provides an overview of HHS recommendations to help the healthcare sector address cyber threats," CMS wrote in the rule.

HHS recently published a website detailing recommended cybersecurity performance goals, CMS noted. "We intend to consider how the Promoting Interoperability performance can promote cybersecurity best practices for MIPS-eligible clinicians in the future."

HHS in a December concept paper called its 10 "essential" and 10 "enhanced" cybersecurity performance goals "voluntary" best practices. That same document also hinted that the best practices could become mandates for hospitals regulated through CMS financial incentives and penalties (see: Feds Wave Sticks, Carrots at Health Sector to Bolster Cyber).

CMS did not immediately respond to Information Security Media Group's request for comment on potential plans for new cybersecurity measures for healthcare providers, including clinicians and hospitals.

But some experts said HHS has been hinting for a while that it might raise cybersecurity expectations for healthcare sector entities.

"HHS had forecast that in coming years the Promoting Interoperability Program measures could include some type of scoring for cybersecurity," said privacy attorney David Holtzman of the consulting firm HITprivacy. "You can think of this as nerd telegraph. CMS is simply messaging that they are considering it for a future year edition of the physician fee schedule. There is really 'no beef' to answer the question 'where's the beef?'" he said.

Regulatory attorney Rachel Rose said that some incentives for better security by healthcare sector entities - as well as their third parties that handle HIPAA-protected health information -already exist.

An amendment to the HITECH Act signed into law on Jan. 5, 2021, provides HIPAA-covered entities and business associates "with the opportunity to have investigations shortened and potential fines reduced" so long as they can demonstrate they've had recognized security practices" such as the NIST Cybersecurity Framework in place for 12 months.

"Some persons respond to carrots, and others to sticks," she said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.