Rangy new HIPAA reg proposals could ramp up cybersecurity expectations, investments, and dings for falling short. Make sure you're ready.
On January 6, HHS published a proposal to amend the HIPAA Security Rule, foretelling the most sweeping changes to HIPAA regulations in more than a decade. If enacted, the updates will "have a major impact on HIPAA-regulated entities operationally and financially, requiring a major investment in cybersecurity," The HIPAA Journal reports.
Key proposals include more stringent risk analysis, detection, and response measures, along with a range of protections including network segmentation, ePHI encryption, multi-factor authentication, and anti-malware protection.
Although the fate and timing of the final rule is murky under the new administration, comments are due on or before this Friday, March 7. "Extensive feedback is expected from HIPAA-regulated entities and healthcare industry stakeholders due to the number of new cybersecurity requirements," the journal reports.
Regardless of how it all shakes out, there's at least one measure that's worth getting a jump on now: Continuity planning in case of widespread disruption — a growing reality in today's volatile world, and one that takes myriad forms.
"If you don't have a good mitigation strategy today, you're dead in the water," says Ejay Birkmeyer, assistant vice president of revenue cycle operations at The University of Texas Medical Branch (UTMB), a four-hospital system based in Galveston, Texas. Aside from multiple hurricanes, the organization has braved freezes and other power-zapping disasters in recent years. "And of course, that's Mother Nature attacks. Now, you're talking about cyberattacks, which, on top of that, your continuity plan has to deal with."
More than a year after the Change Healthcare breach, UTMB, a then-client of the vendor, is still feeling the ripple effects as they finish digitizing thousands of payer files that they had to capture on paper in the aftermath.
Three weeks post-attack, Birkmeyer participated in a continuity planning session led by a former Department of Justice staffer. "We got to hear some inside things on planning, and there's a lot of 'what ifs,'" he says. "It goes down a rabbit hole."
The system's resulting 250-page plan touches on everything from civil unrest to natural disasters to other more and less likely disturbances. Ahead, he shares his biggest takeaways from the exercise.
Opt for vendor interoperability
Over his more than two decades in healthcare, Birkmeyer says he's seen a seismic shift in the industry's relationship to technology — from lagging to leading on many fronts. Now, "some of the healthcare IT is on the cutting edge because we're introducing AI into it," he says. "A lot of the things that didn't exist before now exist, and we're trying to take advantage of them early."
Interoperability is crucial to ensuring a standardized, sustainable approach, and many vendors are taking their cues from "Congress and governmental [agencies] stepping in to try to make it better," he says. Major players like Oracle Health and Epic Systems are "very big" on the practice, which allows them to share data across their own and other platforms, he explains. "Because the more information you have, the better medical decisions you can make on patients."
When it comes to vetting potential vendors and tech partners, it helps to have a designated staff member keeping tabs on the regulatory landscape, including new proposals coming down the pike, says Birkmeyer, whose team monitors briefings from HFMA and federal agencies, including CMS, HHS, and the Cybersecurity and Infrastructure Security Agency (CISA, formerly US-CERT and ICS-CERT).
UTMB's chief information security officer looks specifically for a prospective cloud service provider's compliance with the Federal Risk and Authorization Management Program (FedRAMP) and Texas-specific TX-RAMP protocols for state and government institutions.
Requirements could get even stricter in the final cyber rule, Birkmeyer predicts, in terms of what's considered secure transmission and storage of PHI and financial information. "And some people will meet that, and some people may not."
No matter how sophisticated your tech partners are, none should be your end-all, be-all on any specific function. And that's where Birkmeyer's single biggest piece of continuity planning advice comes in: Resolve single points of failure. For UTMB, Change Healthcare was that Achilles heel when it came to claims management. Now, they have a backup vendor on retainer in case their primary solution is hit.
Tap into tech for recovery
Birkmeyer's team has had to manually post or convert paper files to an electronic format for documentation affected by payer downtime following the Change Healthcare breach, including roughly 250 explanations of benefits (EOB). "We did a lot of them by hand, but when you're talking about [a] thousand patients on the EOB, you really can't do that by hand very quickly," he says. "We've had to weigh cost of converting versus cost of paying overtime versus time it takes, or do we need extra resources?"
To help speed up the process, they've leaned on emergent EOB conversion tech from a current vendor that "made a lot of technological improvements" quickly following the breach to help systems get their documents back online, Birkmeyer says. Even though they're nearing the finish line, "it's taking a long time to get to an accuracy rate that we're comfortable with in posting some of those."
Go old school
Although there are a lot of shiny new objects in the revenue cycle marketplace, don't sleep on the older tech.
The proliferation of remote work at the COVID-19 pandemic's peak means many organizations are better equipped with strategies to support a distributed staff — such as laptops or mobile desktops for everyone — which also comes in handy when preparing for "a physical attack on a building or something of that nature," says Birkmeyer. At UTMB, "continuity planning now extends to plugging in somewhere else," such as at home and other hospital campuses. "We have worked on moving our secondary locations for servers off the island, even away from Houston," he adds.
When preparing for full network outages, think even older school. "As a society, we're trying to get away from paper, but [when] none of the digital streams are available, you have to have some marching orders somewhere," Birkmeyer says. He recommends keeping a printed copy of the continuity plan in a designated folder or notebook, along with a list of key phone numbers, such as those belonging to vendors.
Put heads together
Birkmeyer's team also compares notes with peers across and beyond the UT network, such as Ochsner Health and LCMC Health, two Louisiana-based systems that face hurricanes and other similar regional threats. "That information is invaluable between organizations, and it really does help with your own planning," he says.
Cultivate that same sense of camaraderie between departments within your organization, he advises. He sees cybersecurity as "a three-part deal" between financial, clinical, and IT teams. "So those people at the table can make some of the core decisions about your organization on how to secure data."
Delaney Rebernik is a freelance editor for HealthLeaders.
KEY TAKEAWAYS
Sweeping new HIPAA Security Rule proposals could mean hefty cybersecurity investments on the horizon for many health systems.
For revenue cycle leaders, it's crucial to come to the table with IT and clinical counterparts for rigorous continuity planning, says one exec who's seen firsthand the far-reaching ramifications of a cyberattack.