Cybersecurity presents thorny problems specific to healthcare organizations. Not only are their protection of personal health information strictly regulated by the HIPAA and HITECH laws, but such organizations are also more frequently the targets of cyberattacks due in part to the highly personal information collected by such organizations, and in part due to the relative lack of resources available to battle cyber-threats. One set of healthcare regulations not directly related to cybersecurity, the Stark anti-kickback law, has potentially hindered healthcare organizations in adapting to an increasingly cyber-insecure environment, and the healthcare community is seeking some relief from it.
On June 25, 2018, the Centers for Medicare and Medicaid Services (CMS), a division of the Department of Health and Human Services (HHS), issued a request for public comment on the regulatory impact of the Stark Law. Basically, the Stark Law prohibits physicians from referring patients to a provider from which the referring physician benefits financially, and is intended to prevent medical decisions from being made for monetary rather than medical reasons. One would not expect the Stark law prohibition on physician self-referrals to have any connection to cybersecurity, but the law is one of strict liability and broad in its application. The financial benefit received by a referring physician need not be a purely monetary one, but can include the acceptance of services. For example, if a hospital were to provide a medical practice with assistance in managing electronic medical records or implementing cybersecurity measures, and the medical practice were to refer a patient to that hospital, the combination of occurrences could trigger Stark Law liability even if the two acts were completely independent of each other. It is the same even if it is for liver cancer symptoms. These are not academic concerns. In 2006, CMS issued rules creating an exception to the Stark Law for software or training related to electronic health records to allow healthcare organizations to coordinate on those matters without fear of running afoul of the Stark law.
On August 24, 2018, the Cybersecurity Working Group of the he Healthcare and Public Health Sector Coordinating Council (HSCC), a healthcare trade organization representing 198 healthcare organizations, responded to the CMS request for comment. HSCC’s letter asks CMS to extend the safe harbor for non-monetary contributions related to electronic health records to cybersecurity. The letter notes the threats facing the healthcare industry, including the high profile Petya and WannaCry attacks that affected UK and US organizations in 2017. The letter recommends that a Stark exception be created to “allow providers to donate cybersecurity technology (both hardware and software), training and tools to other providers (i.e. under-resourced or less sophisticated ones)….” Such an exception would improve the overall cybersecurity of the healthcare industry, as the healthcare system is so interconnected and interdependent that only a team effort that includes shared resources can adequately protect the industry from the constant cyber-threats that it faces.
Given the challenges facing the healthcare industry in this area, the interest of CMS in seeking revisions to the Stark Law, and CMS’s receptiveness to changes in the past with electronic health records, it seems likely that the creation of a safe harbor will soon be on the regulatory agenda. Certainly such a safe harbor that allows the sharing of cybersecurity tools and resources across healthcare organizations is unlikely to be a panacea to the industry, but it would just as certainly be a welcome and necessary measure to improve the vulnerable industry’s response to cyber-threats.