AHIMA, along with several provider-based organizations, submitted a letter to US Department of Health and Human Services (HHS) Secretary Xavier Becerra asking for the agency to take steps to prevent future disruptions to healthcare when a cyberattack on critical healthcare infrastructure components take crucial processes offline.
The letter, sent June 26, asks HHS to undertake an audit of all technology systems in use by healthcare nationwide and work to provide options for provider organizations when only one technology product is available for a specific critical purpose. As the nation experienced earlier this year when Change Healthcare was attacked, limited technology options for critical processes such as claims processing means providers are not able to pursue alternate means when the only option is offline.
Throughout the Change Healthcare attack, provider organizations nationwide were unable to process claims and accomplish other crucial tasks while the service was unavailable and had no secondary option to switch to until the attack was resolved.
Analyzing the healthcare technology landscape and creating optionality is only one of several asks in the letter. In review of the Change Healthcare incident, the organizations determined there was a lack of clear communication throughout the event and after it. The signee organizations ask HHS and the attacked entity for continued communication throughout and after a cyberattack. Clear communication is deemed crucial to moving through an outage of critical technology infrastructure and these organizations highlighted that as a priority for HHS moving forward.
The letter makes clear that the incident itself does not end when the attack is resolved. Instead, communication and support must be maintained through the restoration of services as that is when an incident can be considered fully resolved.
The healthcare cybersecurity landscape is under constant threat. For healthcare stakeholders to remain ahead of these attackers, the nation needs to ensure threat anticipation, management, and post-incident response is prepared for all eventualities; this includes reviewing weaknesses attackers will look to exploit to cause maximum disruption. The letter to HHS aims to combat many of those weaknesses to strengthen the cybersecurity of the nation.
Many of the same organizations, including AHIMA, that signed this letter also collaborated on a similar letter earlier in the spring asking for clarity on how to respond directly to the Change Healthcare attack. In that letter, the signee organizations sought clarity on which entity was responsible for filing breach notification to HHS and impacted individuals, as well as how to go about that process. In response, the HHS Office for Civil Rights (OCR) released additional guidance on the matter.
AHIMA maintains that health information (HI) professionals are a crucial piece of the healthcare cybersecurity preparedness and response team. As organizations grapple with cybersecurity challenges, they should consult their HI professionals to understand where data is stored, as well as what data is stored there. Protecting the health privacy of patients takes an entire organization working in unison, and HI professionals remain well-positioned to play a growing role in the cybersecurity conversation.
Andrew Tomlinson is senior director of regulatory & international affairs for AHIMA.