Two hot-topic developments in cybersecurity and government procurement.
Since Physicians Practice® has a wide breadth of readers, which include physicians that are owners in companies that participate in U.S. Government procurement processes with various government agencies, I wanted to provide an overview of some key terms and standards, as well as share some take-aways, which relate back to healthcare providers.
But, first, there are two recent cybersecurity items which deserve attention. The FBI and CISA issued a Joint Cybersecurity Advisory to warn of “a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass- scanning and uses tools, such as Nmap, to identify open ports.” Given the increase in cyberattacks during COVID-19, as well as the increase in telecommuting and telehealth, which were rapidly deployed, it is critical for covered entities, business associates, and subcontractors to conduct their annual risk analyses.
Another item is the House passing the Internet of Things (IoT) Cybersecurity Improvement Act, which was initially introduced in the Senate in 2017 and reintroduced in 2019. The bill received bi-partisan support to improve “the cybersecurity of Internet-connected devices by requiring that devices purchased by the U.S. government meet minimum-security requirements.” If adopted, the bill would require the following:
Many of these requirements are similar to other areas of procurement. First and foremost, the National Institutes for Standards and Technology (“NIST”) requirements must be met. This makes sense because the U.S. Government has these compulsory requirements internally. In order to mitigate the risk of hiring a vendor with inadequate technical, administrative, and physical safeguards, the Government uses NIST as a foundation.
NIST is also incorporated into a variety of laws including, but not limited to the following:
What can physicians, covered entities, and business associates take-away from the government procurement process? First, NIST standards should be incorporated into an entity’s annual HIPAA risk analysis and related policies and procedures. Second, providers contract with the Centers for Medicare and Medicaid Services to participate in Medicare, Medicaid, and TRICARE–read the provider agreement, as well as the attestation portion of the CMS and TRICARE claim forms. Lastly (and it should really go without saying), be truthful when submitting any document to the government, especially when payment is involved.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.