- The latest call for a national patient identifier has come from an unlikely place — a hearing on healthcare cybersecurity convened by the House Subcommittee on Health.
In written testimony for the hearing, “Examining Cybersecurity Responsibilities at HHS,” Intermountain Healthcare Vice President and CIO as well as College for the Healthcare Information Management Executives (CHIME) Board of Trustees Chairman Marc Probst included the use of a national patient identifier as one of four recommendations to improve preparation for cyberattacks.
“Reducing the reliance on Social Security Numbers (SSNs) and other identifiable information that help bad actors execute fraud will immediately devalue health records on the black market,” Probst argued. “We need a healthcare identification solution that, if stolen, does not have the same potential for fraud and abuse.”
Probst called on Congress to remove language in an appropriations bills that limits the Department of Health & Human Services from using federal funds toward such an end.
“Technology has provided for alternatives to a numeric or alphanumeric identifier as a solution, and the government does not need to be the arbiter of the identification solution, but HHS must be able to provide technical assistance to private sector initiatives,” he went on to say. “Unfortunately, HHS has interpreted the annual funding ban to prohibit them from collaborating or assisting with private sector efforts to improve patient identification on a national level.”
Along with this recommendation, Probst warned members of Congress of the dangers of increasing patient access to health information under Stage 3 Meaningful Use. While information sharing is crucial to improving care coordination and delivery, Probst called into question the timeline for using application programming interfaces (APIs) in Stage 3 to improve the movement of data.
“Rushing implementation of health IT raises patient safety and cybersecurity concerns,” he maintained. “We believe it is premature to include such mandates in the Meaningful Use program given the lack of mature standards, especially relating to security. Therefore, CHIME suggests that Stage 3 start no sooner than 2019 to allow for additional time to ensure proper security protocols are in place before the widespread use of APIs is mandated.”
Speaking of incentives, Probst emphasized the value of incentivizing security as a means of preparing the healthcare industry for an increasing threat from cybersecurity attacks, and even considered MACRA implementation as a stepping stone in doing so:
Given the low degree of spending/resources for IT spending, policymakers should look for ways to encourage investment through positive incentives for those who demonstrate a minimum level of cyberattack readiness and mature information risk management programs. The federal government and the nation’s largest retailers have found themselves victims of large-scale breaches, there’s no question that healthcare providers are at a disadvantage especially as they transform to meet the demands of new payment models, many of which will lower hospital reimbursements. Can reimbursement schemes include cyber preparedness? Should MACRAs Clinical Practice Improvement activity list include security improvements? We believe so.
Lastly, Probst recommended reducing regulatory complexity as a means of bolstering cyber-readiness.
“Congress should pursue legislation that harmonizes other privacy, security and information risk management requirements to eliminate the complex patchwork of regulations across industries and state lines,” he advised. “Currently, healthcare organizations dedicate highly valuable resources to navigating these complexities to demonstrate compliance with its regulators; if a streamlined regulatory framework were in place these resources could focus more time on actively monitoring and protecting against the daily variable threats.”
While the focus of Wednesday’s hearing was truly on the role of HHS in providing guidance for cybersecurity, it drew attention to how wide a threat cyberattacks are becoming for healthcare organizations and providers of all sizes.