Healthcare Sector Faces New Cybersecurity Expectations Amid Medicare 2025 Rule Proposal
In a significant development for the healthcare industry, federal regulators are hinting at the introduction of enhanced cybersecurity requirements tied to Medicare participation. The Centers for Medicare and Medicaid Services (CMS) recently included a brief announcement in its expansive 2025 physician fee schedule and payment policy rule, indicating forthcoming considerations for cybersecurity best practices for clinicians participating in the Merit-based Incentive Payment System (MIPS).
MIPS is an established program that aligns Medicare reimbursements with a physician’s performance in delivering healthcare. A crucial aspect of this program is the Promoting Interoperability (PI) initiative, which evolved from the HITECH Act’s incentives aimed at achieving meaningful use of electronic health records. The PI program is particularly focused on improving patient access to health information and facilitating the electronic exchange of healthcare data.
While cybersecurity has already been a requirement within the PI framework—mandating that MIPS participants conduct and attest to conducting a security risk analysis annually—the latest CMS announcement suggests that additional security practices might be integrated into the program in the future. "We aim to inform readers of the additional resources and activities from the Department of Health and Human Services (HHS) focused on cybersecurity recommendations to assist the healthcare sector in addressing cyber threats," CMS stated in the recent ruling.
The HHS has underscored its commitment to promoting cybersecurity through a newly launched website that outlines recommended performance goals, and CMS indicated that these goals may eventually influence the MIPS program. In a December concept paper, HHS categorized its 10 "essential" and 10 "enhanced" cybersecurity performance goals as voluntary best practices, yet their potential transition into mandates for hospitals participating in CMS-regulated financial frameworks was also suggested.
Expert commentary has noted that HHS has been signaling an increase in cybersecurity expectations within the healthcare sector for some time now. David Holtzman, a privacy attorney with HITprivacy, explained that HHS might incorporate some form of cybersecurity scoring into the Promoting Interoperability Program in future iterations of the physician fee schedule. "This is akin to a preliminary advisory; they are indicating that cybersecurity considerations are likely on the horizon," he remarked.
Moreover, regulatory expert Rachel Rose noted that existing incentives for improved security measures already exist within the healthcare sector. A recent amendment to the HITECH Act, enacted on January 5, 2021, allows covered entities and business associates under HIPAA to benefit from shorter investigatory processes and reduced fines provided they have implemented recognized security practices, such as the NIST Cybersecurity Framework, for a minimum period of 12 months. Rose highlighted the dual approach of regulatory incentives: some organizations respond well to positive reinforcement while others may require stricter enforcement mechanisms.
As the healthcare industry braces for potential new cybersecurity mandates, it faces increased risks associated with cyber attacks, which could involve a range of tactics outlined in the MITRE ATT&CK framework. Initial access tactics such as spear phishing or exploitation of external-facing applications may be employed by adversaries, followed by persistence strategies for maintaining control of compromised systems. Additionally, techniques involving privilege escalation could enable attackers to navigate through various levels of access, thereby increasing the severity of attacks on sensitive health information.
The implications of these developments are substantial for healthcare providers and related organizations, particularly as they navigate the complex interplay of regulatory compliance, patient privacy, and information security in an increasingly digital landscape. As the CMS continues to refine its payment policies, the drive towards enhanced cybersecurity measures underscores the critical importance of safeguarding health data against ever-evolving cyber threats.
