Getty Images/iStockphoto

HSCC Tells HHS: Include Patching in Stark Law Cybersecurity Donations

In response to HHS proposed changes to Stark Law and the Anti-Kickback Statute, HSCC is urging stakeholders to include patching and updates as allowable donations to protect providers.

The Department of Health and Human Services’ proposed changes to the Physician Self-Referral Law (Stark Law) and the Federal Anti-Kickback Statute should include patching and update language in allowable cybersecurity donation rules, according to comments from the Healthcare and Public Health Sector Coordinating Council.

In October, HHS proposed changes to those rules that would establish an exception or safe harbor for the donation of cybersecurity technology and services to small and under-resourced providers. According to officials, the effort is designed to modernize the regulations for the digital age.

The proposal is targeted to providers participating in value-based arrangements and other care coordination programs and part of HHS’ Regulatory Sprint to Coordinated Care. The rule would also strengthen the cybersecurity posture of those providers, by removing real or perceived barriers providers face when addressing cybersecurity risks.

“The [proposed rules] are part of a much broader effort to update, reform, and cut back our regulations to allow innovation toward a more affordable, higher quality, value-based healthcare system, while maintaining the important protections patients need,” HHS Deputy Secretary Eric Hargan, said at the time.

The efforts received overall praise from the industry, especially around the donation of cybersecurity assistance and software. HSCC also commended the efforts, at the time, and have since provided feedback in hopes to strengthen HHS’ efforts, while ensuring the proposal accomplishes its goal.

Notably, the proposed changes to Stark Law and the Anti-Kickback Statute were recommended in the 2017 Healthcare Industry Cybersecurity Task Force Report.

To accomplish its goals, HHS should focus on four key areas, including improving the patching language outlined in the proposal. As noted repeatedly in recent years, patching challenges plague the healthcare sector and cause significant risks to provider networks and patient data. As many providers continue to use outdated, legacy platforms, those cyber risks are rapidly increasing.

HSCC is concerned that both proposals express patching and updates will not be considered as allowable donations, and therefore would not receive protection under the safe harbor/exception.

“Feedback we received from members suggested this could create significant complications in disaggregating when technology is permitted to be donated,” HSCC Cybersecurity Working Group Executive Director Greg Garcia wrote. “Often, patching is given to providers for free as it is built into the contracts with vendors.”

HSCC asked HHS to clarify the language in the proposal to explain “whether accepting routine or critical updates would implicate a violation of the exception/safe harbor.”

“Some patches also may be aimed at security, while others may be more general,” Garcia added. “Have CMS and OIG considered permitting patching when it is needed for security purposes?”

Technology definitions outlined in the proposed changes also raise concerns for HSCC, especially calls to exclude hardware from technology permitted for cybersecurity donation exceptions and safe harbor.

The approach could hinder the success of the safe harbor given the lines between what’s considered software and hardware are increasingly blurred, HSCC explained. And taking hardware out of the technology definition “does not account for the pace of innovation.”

“Vendors do not typically break out the cost of hardware versus software – the price or value is based upon the totality of the device,” Garcia wrote. “An example would be a networking device that is running software.”

“Precluding the donation of hardware, therefore, could create barriers to donations of cybersecurity technology if donors and recipients aren’t clear how to disaggregate the two,” he added.

Lastly, HSCC lauded HHS continue focus on small and under-resources providers, as well as language outlining the program’s voluntary nature. To ensure clarity, HHS should add language explaining whether providers will be offered safe harbor if a recipient of donated technology experiences a cyberattack.

Further, several industry stakeholders have expressed concern that they could be held liable if a recipient of donated tech experiences a security incident. HHS should better outline protections and liabilities in the proposed changes to ensure those concerns do not impede donations.

“Without some sort of protection for the donating provider, some providers are unlikely to take advantage of this donation exception/safe harbor,” Garcia explained.

“We support policies that will aid [small and under-resourced] providers, as the healthcare ecosystem is increasingly interconnected,” he added. “The better small and under-resources providers can protect themselves, the better it is for the entire system.”

Dig Deeper on HIPAA compliance and regulation