When it comes to healthcare IT policy, uncertainty isn’t exactly a rare occurrence; but in the cybersecurity space, it’s not just common — it’s part of the fabric. What that means is that if you want to push anything forward, you need to embrace the “constant state of flux” and be willing to have “difficult conversations,” according to CHIME’s Policy leaders Leslie Krigstien (VP of Congressional Affairs) and Mari Savickis (VP of Federal Affairs).
But it’s those conversations — and a relentless drive for improvement — that get things done. Case in point? The FDA has drafted premarket guidance for managing cybersecurity in medical devices, in which it recommends that manufacturers provide a “bill of materials” to help healthcare organizations respond more effectively to cyberattacks. Although it’s “just a start,” as Krigstein and Savickis stated during an AEHIT session focused on Public Policy, it marks a victory — and hopefully, a new era in which providers and manufacturers communicate and work together to improve security.
During the AEHIT18 Fall Forum, healthsystemCIO.com sat down with CHIME’s policy leaders and talked about their key priorities from a cybersecurity standpoint, the progress that has been made, and what’s next on their plates.
Kate Gamble: Let’s talk about medical device security. As you mentioned during the session, finger-pointing has long been an issue. Are we shifting away from the blame game and getting to a point where the industry can establish best practices on how to keep these devices secure?
Mari Savickis: I believe we’ve cleared the toughest hurdle, which was getting the FDA to acknowledge that it’s a shared responsibility. Clearing that hurdle – which took pressure from Congress – was a big accomplishment, and I think we’re turning the corner. I wouldn’t say we’ve crested on the mountain; but we’re in a better place. We were at the base of the mountain, and now we’re inching our way to the top.
We haven’t yet gone through the premarket guidelines with a fine-toothed comb, but we’re making progress. People are coming together and talking in ways they hadn’t before — it’s a much more collaborative environment now.
Leslie Krigstein: Having providers and manufacturers recognize that it’s a shared responsibility has been really important. And the fact the FDA has drafted premarket guidance is a huge step. Some might say that it’s only guidance and there’s wiggle room, but the fact that they’ve come out and said that more needs to be done — that’s a big deal. And it happened because there were letters from the Hill and there were questions being asked.
So we do have some momentum, and I believe we’re headed in the right direction. I think it’s important to give kudos to the Sector Coordinating Council (SCC), which has been a forum for collaboration and fostering constructive dialogue.
Gamble: Talk about some of the important steps that have been made recently to move toward safer cybersecurity practices.
Savickis: I think ‘steps’ is the key word — it hasn’t been one particular thing. We’ve been building to a crescendo through a series of events, including the passing of the Cybersecurity Information Sharing Act (CISA) package, the Cybersecurity Industry report with all of the recommendations, and the reboot of the SCC. Along the way, AEHIS members have done a tremendous job with telling stories and level-setting for the government. We’ve finally found our voice.
Krigstein: I agree. I think our members’ willingness to speak out when it really wasn’t politically palatable has played a key role. And it can be scary — no one wants a target on their back. But our members have been willing to speak up and say, ‘we’ve had these incidences,’ or ‘this has been our experience with our vendor partners,’ or just ‘we’re nervous about this.’ So I think we’re making a lot of progress. We’re a long way from accomplish our goals — the legacy issues will continue well into the future. But the more we can look at the premarket side and proactively partner to ensure at least the new devices coming in are secure, the better off we’re going to be.
Gamble: What are some of the areas in which you’re seeing progress? I can imagine it can be difficult to gauge that.
Savickis: It is. Sometimes when you’re this far into the weeds, it’s hard to see the progress that’s being made. In the three and a half years I’ve been here, I’ve noticed a massive uptick in the use of, and interest in, the NIST Framework, which is something we strongly support. And in fact, the findings from the study we developed with KLAS show there’s been an increase in use of the Framework.
Krigstein: There’s a belief held by some that it’s solely in the purview of the providers — that it’s a contractual issue. In fact, this was feedback that one of the other industry groups gave [CHIME CEO] Russ Branzell. But to us, the suggestion that a 45-bed hospital has the same buying power as a large health system just doesn’t make sense. While it’s true that some of our members have that buying power, many of them don’t.
Savickis: We have members from some of the most sophisticated organizations, and they’ve told us that they still have challenges. And so it’s not just a contractual issue. There is so much variation between hospitals in terms of budgets and strategies, and yet we still hear from members that manufacturers will say, ‘No one else is asking for this.’
Another thing that’s very encouraging is that the FDA is saying, ‘if you have a problem with getting a patch, call us directly.’ We’re so unbelievably pleased to hear that. But our folks aren’t going to call the FDA or any government agency before they try to figure it out themselves. They’re going to try to get that resolved with the manufacturer first.
Krigstein: We still have members who don’t have patches from WannaCry, and that was last summer. So we’re not trying to paint a rosy picture — but we believe it’s important to celebrate the victories, even the small ones.
Gamble: Absolutely. What are some of your key priorities as we look to 2019?
Savickis: HIPAA privacy is a big one. I think privacy, in general, is going to explode because of what’s happening in the tech sector. This is a huge conversation. There are some people on the Hill who are upset — all it takes is that, and a few hearings, for the entire industry to be put on notice. With all the consumerism around sharing health information and liberating the data — and we’ll be the first to acknowledge that patients have a right to access their data — there are questions that need to be answered: Where is that data going? How is it actually being used? This isn’t a security issue; it’s a privacy issue.
That being said, if we experience another large-scale cybersecurity breach, everything is going to pivot very quickly in the other direction.
Krigstein: We expect to see a lot of activity around the nuts and bolts of that issue, and I believe 21st Century Cures will have a lot of oversight. They’re going to want to dig into information blocking, and they’re going to want to dig into TEFCA (Trusted Exchange Framework and Common Agreement). Also, the patient matching report is supposed to become available soon.
Savickis: We want to see patient access and interoperability included. In some ways, it’s dotting the I’s and crossing the T’s. But when it comes to things like data blocking, people are apprehensive — they want to know what it means.
Krigstein: The fact that there is a lot of vendor uncertainty bleeds into the vendor-partner space. There’s development that needs to happen and implementation that needs to happen on the provider side, and all of this uncertainty perpetuates the process.
Savickis: That’s the biggest source of anxiety for our folks — not knowing what the requirements are. We’ll always hear, ‘We just want to know what the rules are, and we’ll do our best to follow them.’
Gamble: You mentioned in the session that you’re ‘bracing for impact.’ Is that in reference to some of the regulations that are due at the end of this year?
Savickis: There are several regulations due by the end of November, including the MIPS fee schedule and TEFCA, although that includes a comment period. And we’re still digesting the Opioid package. There are pieces of the bill [42 CFR Part 2] that we believe will have huge implications, such as e-prescribing of controlled substances.
Krigstein: Liz Johnson, who is our Policy chair, talked about passing around a letter and getting all of our members to sign it. The push to align 42CFR with HIPAA will continue to be a priority for us, especially as we enter the lame duck Congress in the New Year. Hopefully we’ll be able to get that accomplished. We were really disappointed that it wasn’t the final bill. But we’re hoping that, as a CIO community, we can help move the needle.
Savickis: We’re going to hear a lot of conversation about opioids. It’s a massive epidemic, and it will be an area of continued activity for the foreseeable future. So yes, there’s a lot happening, and there’s going to be a lot happening for a while.