This month, the National Institute of Standards and Technology (NIST) published version 1.0 of a national Cybersecurity Framework. This was at the behest of Obama’s Feb 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Healthcare is considered to be critical infrastructure, and as such the new Framework is directly impactful to hospitals.
The Framework was defined by NIST with input from hundreds of organizations in the private sector, as well as government experts. A preliminary version of the Framework was put forward in October 2013, and the version published this month includes some welcome changes.
What’s the big change in the Framework from the preliminary version?
One change that hospitals — and other organizations that fall under the category of being “critical infrastructure” — should find welcome is the recognition in the Framework that not all types of data bring up privacy concerns. Specifically, the Framework document states that “not all activities in a cybersecurity program may give rise to” privacy considerations.
My take on this, is changes that recognize that “one size does not fit all” is of particular relevance for healthcare data as the data in hospitals spans everything from the most mundane to the most sensitive and critical. The fact that the Framework now encourages providers to determine for themselves when privacy considerations are critical — and when they are not — should help considerably in advancing adoption of measures that ensure privacy.
Potential changes coming in HITECH Act to affect Meaningful Use Stage 3?
In related news, Congress appears interested in revisiting the HITECH Act and imposing potential deadlines and requirements for Electronic Health Records (EHR) to support standards for interoperability by 2017. Senator John Cornyn, R-Texas, proposed adoption of new standards as part of the rules for Meaningful Use Stage 3. Others have even said that interoperability “should be the highest priority” as they perceive that “more must be done to bolster” these efforts.
I think that Congress quite correctly perceives that interoperability has received at best lip-service support, as most patient data is kept in isolated siloes within departments and applications – and with little real effort to share data within the hospital, much less across hospitals and hospital systems. Indeed, the competitive climate of healthcare in the US provides disincentives to EHR interoperability.
I believe that action by Congress is warranted, as interoperability standards — and interoperability among EMR systems — are critical for the industry in order to enable improved patient outcomes, as well as to lower healthcare costs. However, hospital providers already under pressure need incentives as well as deadlines, and I hope that Congress considers that.
