Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
A recent executive order to ensure federal computer systems are safe from attack has implications for medical practices as well.
Like a team, a practice’s cybersecurity is only as strong as its “weakest link.” On May 11, 2017, President Donald Trump signed Executive Order – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (hereinafter the “order”). Although the order expressly states, “Federal networks and critical infrastructure,” people who contract with the government, including physicians who bill Medicare, need to meet the same standards.
This should not be an issue because of what the HIPAA Security Rule and the HITECH Act require.
The general sentiment expressed in the order is that IT and data should be properly secured, that the risks are known but not mitigated, and that the various agencies and agency heads will be held accountable. This was based on findings that “[c]ybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents,” according to the order. A subsequent section builds on this by expanding upon a risk assessment. An assessment of electricity disruption incident response capabilities, as well as various types of malware.
In Section 3, the order states:
“To ensure that the internet remains valuable for future generations, it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft. Further, the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.”
For physicians, there are three main takeaways:
1. A risk assessment that includes National Institute of Standards and Technology (NIST) standards, as referenced throughout the HIPAA omnibus rule, is critical.
2. Continual training of everyone in a medical practice is essential.
3. There could be issues associated with Medicare claims submission if these standards are not met. Physician sign an attestation whenever submitting a claim to CMS. That attestation requires compliance with all laws and regulations. If physicians don’t comply with HIPAA and the HITECH Act, relating to the executive order’s cybersecurity language, there is a potential for filing false claims.