Skip to content

WEDI Calls for HHS Action to Ensure Data Exchange Continuity Following Cyberattacks

Recent Cyber Incidents Highlight Need to Maintain Flow of prescriptions, Claims and Other Transactions

 

WASHINGTON, DC, May 16, 2024 — The Workgroup for Electronic Data Interchange (WEDI) has sent a letter to Xavier Becerra, Secretary of the Department of Health and Human Services (HHS), identifying issues and recommendations aimed at mitigating the potential consequences of a cyberattack on health care operations and patient safety. Health care organizations are significant targets for cyber theft. Health information is a high value commodity to cyber criminals and attackers often hold health information systems hostage until they have extracted maximum ransom payments.

“Recent cyberattacks, while unprecedented, are just the latest example of what has become unfortunately all too commonplace in the health care industry,” stated Charles Stellar, WEDI President and CEO. “When administrative transactions such as medication prescriptions, claims, and treatment authorizations cannot be conducted, provider operations and even patient care can be impacted,” stated Stellar.

Working with our multi-stakeholder membership, WEDI identified several actions the federal government could take to minimize the negative impact a cyberattack can have on the health care system. WEDI’s recommendations to HHS included:

  • Create the Office of National Cybersecurity Policy. The federal government should create a new office called The Office of National Cybersecurity Policy (ONCP); an office led by a “Cyber Policy Czar.” The recommended ONCP would not replace any existing agency or usurp any other agency’s jurisdiction or function, but rather drive a centralized process of cyber incident reporting, coordinating harmonization efforts across federal agencies stakeholder education (with a focus on under resourced organizations), steer funding for stakeholder cyber preparedness, develop and deploy national contingency planning, and serve as the point agency for industry recovery following a major cyber incident.
  • Conduct Select Audits and Educate Industry. HHS, through its Office for Civil Rights (OCR), should conduct proactive, comprehensive select audits of the health care sector. Through these select audits, OCR can identify best practices that will provide guidance targeted to address compliance challenges and be leveraged in an educational campaign to better prepare covered entities to address cyber threats.
  • Establish a Voluntary Security Audit Program. OCR should be directed to establish a program that would permit covered entities to voluntarily undergo a security audit. Those submitting their policies and procedures for voluntary review should not be subject to enforcement action should any deficiencies be identified during the audit. Rather, the organization should be given sufficient time to correct any issues.
  • Accredit the Accreditation Programs. HHS should consider developing minimum standards for third-party accreditation/certification entities. A minimum set of security, privacy and cybersecurity standards could be mandated to ensure that an accredited or certified organization would be in the best position to avoid a cyberattack or mitigate the effects of a cyberattack.
  • Implement Administrative Actions. HHS should build on its actions following the recent cyberattack on a major clearinghouse. Should a major cyber incident occur, HHS should have in place and be ready to implement actions to immediately assist data exchange processes between providers and health plans. These actions could include:
    • Expedite new electronic data interchange (EDI) enrollment.
    • Accept paper claims.
    • Relax or eliminate select prior authorization requirements.
    • Provide advance funding.
    • Delay or waive data reporting requirements.
    • Issue trading partner post-attack communication guidance.
    • Explore opportunities to increase cybersecurity funding.
  • Implement an Annual National Health Care Cyber “Fire Drill.” HHS should designate a week as “National Health Care Cyber Fire Drill Week.” This would be a designated period (i.e., a week) where the federal government would lead the health care industry in promoting cyber awareness and action.

“No health care organization is immune to the threat of cyberattack and countering these threats will require a collaborative effort between the private and private sectors,”

stated Stellar. “Maintaining operational continuity and safeguarding the care delivery process must be a top priority of the government should a critical health care organization be the victim of a cyber incident,” stated Stellar.

Access the full WEDI letter to HHS here.

About WEDI

WEDI was formed in 1991 by then HHS Secretary Dr. Louis Sullivan to identify opportunities to improve the efficiency of health data exchange. WEDI was named in the HIPAA legislation as an advisor to the Secretary of HHS. Recognized and trusted as a formal advisor to the Secretary, WEDI is the leading authority on the use of health information technology to efficiently improve health information exchange, enhance care quality, and reduce costs. With a focus on advancing standards for electronic administrative transactions, and promoting data privacy and security, WEDI has been instrumental in aligning the industry to harmonize administrative and clinical data. For more information, please visit wedi.org.

###

Contact

Robert Tennant
VP, Federal Affairs

WEDI

202.368.6275
rtennant@wedi.org

Scroll To Top