The Washington Debrief  provides CHIME members weekly news and information related to important healthcare IT legislative, regulatory and political developments in Washington, D.C.




Volume 5, No. 23
June 19, 2017
INSIDE THIS EDITION:
New CHIME Ad-Hoc Workgroups

Key Takeaway: Lend your voice to two new workgroups - just two calls each. 

Why it Matters: CHIME is hosting two new workgroups. Please RSVP to us if you are interested in joining.
HHS Cyber Workgroups

Key Takeaway: The U.S. Department of Health & Human Services (HHS) is looking for volunteers to join their new cyber workgroups.

Why it Matters: Looking for a way to get more engaged in public policy? This is it. HHS has several new workgroups that are just gearing up and need more volunteers. This is an  excellent chance to interact with federal officials, other members and industry stakeholders by participating and helping lend the CIO and CISO perspective to the national dialogue. The six workgroups will center around:
WORKING FOR YOU IN WASHINGTON

Leslie Krigstein
VP Congressional Affairs, CHIME


Mari Savickis
VP Federal Affairs, CHIME

Thoughts, Questions or Comments? Please contact  Leslie or Mari

Office Hours: 
9:00am - 5:00pm
  • Information-sharing;
  • Managing risk;
  • CISA 405d Implementation (involves establishing a healthcare implementation guide for NIST framework);
  • Risk assessment;
  • Future-gazing (involves incorporating new technology into healthcare without compromising patient safety); and
  • Communications and marketing. Please email us for more details or if you are interested in joining any of these groups.
Please email us for more details or if you are interested in joining any of these groups.
Program Overpayments

Key takeaway: Office of the Inspector (OIG) says Centers for Medicare & Medicaid Services (CMS) overpaid upwards of $729 million in Meaningful Use incentive payments.

Why it Matters: HHS OIG reported approximately 12 percent, more than $729 million, of the total CMS Meaningful Use incentive payments were overpaid to eligible providers that didn't meet the program's requirements.

The agency has been advised to attempt to recover the inappropriate payments and the $2.3 million it overpaid to providers who jumped from Medicaid to Medicare incentive programs. CMS has said they agree in part with OIG's findings.
House Committee Explores IoT and Wireless Security Challenges

Key Takeaway: Last week the Communications and Technology and the Digital Commerce and Consumer Protection Subcommittees of the House Energy and Commerce Committee hosted leaders from private industry and academia to discuss cybersecurity risks to wireless technologies and the promise of the internet of things (IoT).

Why it Matters: Congress continues to grapple with ensuring that the regulatory environment is able to protect consumer safety but also enable innovation.

In the hearing entitled, " Privacy in Wireless Technology," witnesses presented subcommittee members with the opportunity to discuss and examine cybersecurity risks to wireless technologies, specifically wireless networks and mobile devices. According to the witnesses, many of these risks are associated with the use of old and inexpensive wireless technologies and wireless networks such as 2G and 3G. The witnesses also acknowledged that many of those who are developing and producing wireless technologies are operating on a "first to market" rather than a "secure to market" ideology.

One solution outside of legislation was developing awareness through education. Congresswoman Doris Matsui (D-CA) expressed concern about the recent WannaCry ransomware attacks and cited the need to ensure the healthcare industry has the technical infrastructure and resources to keep patient information secure. The witnesses highlighted that cybersecurity awareness and education across organizations is imperative, regardless of who is responsible for cybersecurity. End-user awareness will be key to improve overall cybersecurity.

In the Digital Commerce and Consumer Protection subcommittee hearing entitled, " Disrupter Series: Update on IOT Opportunities and Challenges," lawmakers heard witnesses from industries ranging from healthcare to automotive to environmental. Among the issues discussed by William S. Marras, executive director and scientific director of the Spine Research Institute, The Ohio State University, were the existing patient identity and privacy law roadblocks that make it difficult to measure outcomes and assemble big data sets.

Congressman Michael Burgess (R-TX), a physician and the Health Subcommittee chairman, expressed his ongoing interest in ensuring privacy laws are not impediments to research, citing the 21st Century Cures Act passed into law in late 2016. Congressman Gus Bilirakis (R-FL) also expressed concerns about the privacy protections and need to address privacy concerns relative to the IoT.
WannaCry Lessons Learned Subject of House Hearing

Key Takeaway: Last week the two subcommittees of the House Science, Space and Technology Committee examined the WannaCry ransomware incident.

Why It Matters: Lawmakers want to ensure that the cybersecurity vulnerabilities exploited during the WannaCry ransomware attacks are mitigated in federal IT systems.

During the joint Subcommittee on Oversight and Subcommittee on Research and Technology Hearing entitled, " Bolstering the Government's Cybersecurity: Lessons Learned from WannaCry," lawmakers explored how the federal government can avoid being subject to incidences like the WannaCry attacks.

Witnesses and lawmakers alike discussed how prolific the WannaCry attacks could have been if the kill switch had not been discovered. They also discussed the role of the National Institute of Standards and Technology (NIST) in events like WannaCry and the overall preparedness of the nation for cybersecurity incidences. Meanwhile, some committee members voiced concerns over the proposed 25 percent cut to NIST's budget in President Trump's Fiscal Year (FY18) budget.

The witnesses discussed the importance of making it easier to be secure, rather than have security as an afterthought, in the product development process. They also discussed the importance of widespread education initiatives, including changing corporate culture as both the witnesses and members highlighted NIST's role and the value of the NIST Cybersecurity Framework.
New Cybersecurity Communications Center

Key Takeaway: HHS cybersecurity communication center to debut.

Why it Matters: Leo Scanlon, HHS' deputy chief information security officer, says that HHS' Healthcare Cybersecurity Communications Integration Center will open and have "initial operational capability" this month. The center will analyze and distribute cyber threat information across the healthcare space. We will bring you more details as they become available.
FDA's Myth vs. Fact Guide on Medical Device Cybersecurity 

Key Takeaway: FDA has a one-pager on myths vs. facts on oversight of medical devices.

Why it Matters: Some are still under the false understanding that a manufacturer cannot update a medical device for cybersecurity without invoking the need to seek FDA approval; not so, says the FDA. This and other myths are debunked in their fact sheet.
New HHS Tools

Key Takeaway: Earlier this month, Office for Civil Rights (OCR) released a Quick Response Cyber Security Checklist and Infographic for the healthcare sector.

Why it Matters: HHS OCR developed a Cyber Security Checklist and a corresponding Cyber Security Infographic that explains the steps for HIPAA covered entities or business associates to take in the event of a cyber-related security incident.
VA Update

Key Takeaway: The Department of Veterans Affairs (VA) could receive $65 million to modernize their electronic health record (EHR) system.

Why it Matters: The Military Construction and Veterans Affairs Appropriations bill, fiscal year 2018, was approved by the House Appropriations Committee. This bill allocates $65 million for the modernization of the VA's EHR system. The bill would also provide $88.8 billion in discretionary funding and fund veterans' programs and benefits as well as equipment and training for military personnel.
New HHS Tools

Key Takeaway: HHS develops new benchmarking tool to test C-CDAs.

Why it Matters: HHS has a new benchmarking tool, One Click Scorecard, for healthcare providers to test the quality of the consolidated-clinical summary documents (C-CDAs) created by their certified health IT as implemented in production. For more details visit the One Click Scorecard. ONC has also published The Regional ADT Exchange Network Infrastructure Report, comparing various types of infrastructure models being used by Health Information Organizations to support inter-state health information exchange across the country.
ONC Update

Key Takeaway: ONC to place more focus on interoperability and usability of EHRs.

Why it Matters: National Health IT Coordinator Don Rucker, MD, said during a meeting last week that the ONC will shift its attention from the adoption of EHRs to interoperability and usability. Rucker also announced that the ONC is working closely with CMS on ways to reduce the amount of time spent on unnecessary EHR data entry. This builds on a theme echoed by CMS around reducing regulatory burdens, particularly as it pertains to physicians. The agencies are also weighing different "levers" for data sharing among providers and patients to boost interoperability.
FDA Elaborates on Future of Digital Health Oversight

Key Takeaway: FDA commissioner announced digital health plans.

Why it Matters: FDA Commissioner Scott Gottlieb, MD, announced via a blog posting the agency's plans for "fostering medical device innovation" around medical devices. He refers to the plan as, "a novel, post-market approach". The 21st Century Cures Act limits FDA oversight of  low-risk devices aimed at promoting a healthy lifestyle. Gottlieb says the FDA plans to publish guidance with more details on what devices they feel fall outside the FDA's scope of authority, as well as detailing how they plan to treat devices with multiple functions. FDA also plans to pilot-test their approach and are considering using a third-party certification for low-risk devices, which could be marketed without FDA premarket review and a streamlined premarket review process for higher risk devices. More details can be found here.

Click here to view our  CHIME Public Policy Playbook
College of Healthcare Information Management Executives (CHIME)
20 F Street NW | Suite 700 | Washington, DC 20001 |  (734) 665-0000 | www.chimecentral.org