logo
Zero Trust and the ONC-SAMHSA Initiative

Security

Zero Trust and the ONC-SAMHSA Initiative

"Cybersecurity is patient safety" is a phrase that should be indoctrinated into everyone's brain in the healthcare and public health sector. The notion is highlighted by a late-January/early-February series of announcements by Lurie Children's Hospital of Chicago that the hospital went "old school," reverting to paper records and establishing a call center as part of its business continuity process in order to "protect the information of our patients, workforce, and organization at large." Subsequently, they announced that the "network was accessed by a known criminal threat actor."

 

As reported by Becker's Healthcare IT , "FBI Chicago is aware of the recent cybersecurity incident affecting Lurie Children's Hospital and is utilizing all available investigative tools and resources to provide assistance." An FBI spokesperson emailed   Becker's, "As always, our attention remains on ensuring the safety of our citizens and our nation's critical infrastructure."

 

Utilized by Senator Warner in his December 2022 White Paper and by the American Hospital Association (AHA), "Cybersecurity is patient safety" underscores the notion that optimal patient care and the avoidance of adverse patient events is intertwined with cybersecurity, which includes compliance with the Health Information Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the related Rules. As I recently wrote about in another article, in January 2024, the U.S. Department of Health and Human Services (HHS) issued its "Healthcare and Public Health Sector Specific Cybersecurity Performance Goals," which are not surprising given what is already legally required by the HIPAA Security Rule (see R.V. Rose, "HHS Cybersecurity Performance Goals Consistent With Legal Requirements, Physicians Practice," Feb. 1, 2024). Nothing surprising there.

 

What recently caught my attention was an article about implementing Zero Trust in healthcare and the February 5, 2024, announcement, "SAMHSA and ONC Launch Behavioral Health Information Technology Initiative." For those new to healthcare, "SAMHSA" stands for the Substance Abuse and Mental Health Services Administration, while "ONC" translates to the Office of the National Coordinator for Health Information Technology.

 

The purpose of this article is to provide a synopsis of Zero Trust and the Behavioral Health Initiative so that healthcare industry participants can thwart the internal and external threat hackers that seek the information because of the value of patient data.

 

Analysis

 

As defined by the National Institute of Standards and Technology (NIST), Zero Trust is "a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised" (see NIST SP 800-207). Executive Order 14028, "Improving the Nation's Cybersecurity," mandates both government agency adoption of Zero Trust and compliance per FISMA. Memorandum (M 22-09) mandates that agencies achieve identified Zero Trust security goals by the end of FY 2024. The security goals are tied to the model developed by Cybersecurity and Infrastructure Security Agency (CISA) as shown in the graphic. The general areas are visibility and analytics, automation and orchestration, and governance. Governance is also now a core component of NIST's Cybersecurity Framework 2.0.

 

 

What struck me about the HealthTech article, " How Is Zero Trust Working in Healthcare Today?" (Feb. 2, 2024), follows:

 

  • Zero Trust can work across an entire system.
  • "While healthcare organizations are following [NIST] SP 800-207 and the Zero Trust Maturity Model from [CISA], many are still trying to implement zero-trust controls from version one of the models. Some healthcare systems are looking toward version two and beginning to address governance for each area of the model, but they're in the minority."
  • "IT teams often lose visibility of their data in the cloud or in the custody of third-party providers" and they do not have "complete visibility of their environments, including identities, devices, and data assets."
  • New solutions should not be introduced "without having a clear understanding of its control gaps, the extent to which its current solutions are deployed, and the workflows that enable its environment."

 

The CISA framework goes hand in hand with the NIST requirements. When conducting the requisite HIPAA Annual Risk Analysis, it is prudent to include NIST and Zero Trust requirements.

 

Switching gears to the ONC-SAMHSA initiative , as noted by the agencies' joint statement in "SAMHSA and ONC Launch the Behavioral Health Information Technology Initiative" (samhsa.org):

 

"Health IT adoption among behavioral health providers currently lags behind other providers. This is due in part to their ineligibility to participate in health IT incentive programs, such as those under the Centers for Medicare and Medicaid Services.   ONC analysis   of American Hospital Association survey data from 2019 and 2021 found that 86% of non-federal, general acute care hospitals had adopted a 2015 Edition certified EHR; in contrast, only 67% of psychiatric hospitals had adopted a 2015 Edition certified EHR. Furthermore, ONC analysis of SAMHSA   survey data   from 2020 shows that psychiatric hospitals lag even further behind in adoption of interoperability and patient engagement functions" (Feb. 5, 2024).

 

Over the course of the next three years of the Behavioral Health Information Technology (BHIT) Initiative pilot program, SAMHSA-specific behavioral health-specific data elements will be coordinated and explored by grant recipients using "a new USCDI+ domain for behavioral health to improve the effectiveness and reduce the costs of data capture, use, and exchange for behavioral health providers."

 

Overall, the objectives are summed up as follows:

 

"The content standards developed as part of this USCDI+ project will support capturing key behavioral health data at the point of care (e.g., depression screening) to enhance care continuity between behavioral health providers and other clinical providers caring for the same patient. This will alleviate the reporting burden experienced by SAMHSA's grantees by improving the ability of mental health and substance use treatment providers to measure, evaluate, and report on the care they provide.

 

In sum, continuing to keep a pulse on government initiatives, the cybersecurity threat and compliance landscape in relation to the healthcare sector, and continuing to abide by HIPAA and the related laws and rules is critical for potentially avoiding an enforcement action, False Claims Act case, or cyberattack, as well as for ensuring patient safety.

 

Conclusion

 

To bring it full circle, taking a patient-first approach is beneficial not only for clinical outcomes but for the safety of patient information and the various processes within a hospital, medical device transmission, and revenue cycle management. Spending adequate resources on the front end can mitigate potentially substantial expenditures on the back end and avoid legal, financial, and reputational damage.

 

Rachel V. Rose, JD, MBA

 

Ms. Rose has a unique background, having worked in many different facets of healthcare throughout her career including: work in acute care hospitals including the operating room and dietary department; consultative work as a top performing representative for the pharmaceutical and medical device industry; work for the Chairman of the Reform and Oversight Committee on Capitol Hill; intern at the Department of Health and Human Services; and compiling policy papers at the Royal College of Nursing in London. She has worked on Wall Street and at one of the Big Four consulting firms.

 

Rachel V. Rose – Attorney at Law, PLLC - Home (rvrose.com)

 

 

 

 

The Uniform Commercial Code and Its Relation to Hardware, Software, and Related Services Used by Healthcare Sector Participants

Practice Management

The Uniform Commercial Code and Its Relation to Hardware, Software, and Related Services Used by Healthcare Sector Participants:As set forth in 45 CFR § 164.502(a)(3), a business associate may not utilize protected health information (PHI) in any way that would violate the Health Information Portability and Accountability Act of 1996 (HIPAA) and the related Privacy Rule.
Data Use Agreements: Utilization and Distinguishing from Business Associate Agreements

Practice Management

Data Use Agreements: Utilization and Distinguishing from Business Associate Agreements:Any person in the healthcare industry knows or should learn that if they are considered a covered entity or business associate (including subcontractor), that creates, receives, maintains, and/or transmits protected health information (PHI), then a business associate agreement (BAA) is required. See 45 CFR §160.103, 45 CFR § 164.504. This is not a new phenomenon; in fact, it has been required for over 20 years.
Whistleblowers and Company Data: To Collect or Not to Collect

Practice Management

Whistleblowers and Company Data: To Collect or Not to Collect:Before the thought, "Oh, I have access to all this information - ‘Come on Barbie, let's go party' 1" crosses a potential whistleblower's mind, there is one question to ask. "Should I collect documents from my employer or a person that I contract with to perform services?" This is critical to avoiding potential liability at both the employment and post-employment stages. What are the potential ramifications? It depends. 
Two HIPAA Enforcement Actions Underscore the Importance of the Confidentiality, Integrity, and Availability of Patient Information and the Consequences

Security

Two HIPAA Enforcement Actions Underscore the Importance of the Confidentiality, Integrity, and Availability of Patient Information and the Consequences:In March 2023, the current Presidential Administration announced its national cybersecurity strategy. Prior to its release, the President issued two Executive Orders, which underscored the importance of privacy of individuals' health information, tracking data without the knowledge or consent of a consumer/patient, and coordination among federal government agencies to implement initiatives or strengthen existing initiatives.
If Conduct Appears to Buck the Legal Norm, Chances Are That It Does

Auditing

If Conduct Appears to Buck the Legal Norm, Chances Are That It Does:It's akin to wearing Doc Martens to a professional cocktail party reception or Uggs to court. In other words, the wardrobe choice jumps out as not being appropriate for the situation. Likewise, certain conduct that violates the Anti-Kickback Statute (AKS) and the False Claims Act (FCA) unequivocally jumps out as being unlawful under the facts and circumstances, yet persons engage in the inappropriate behavior. 
The Significance of Not Obtaining Patient/Consumer Consent Before Poaching Data

Practice Management

The Significance of Not Obtaining Patient/Consumer Consent Before Poaching Data:Now, in 2023, the FTC announced two consent orders related to the prohibited poaching and use of PHI by known third parties and the DOJ announced another settlement under its Civil Cyber-Fraud Initiative. 
Administration for Strategic Preparation and Response Releases Updated Cybersecurity Framework Implementation Guide

Compliance

Administration for Strategic Preparation and Response Releases Updated Cybersecurity Framework Implementation Guide:Whenever I present, which is often, I often receive follow-up questions from participants regarding resources to utilize when creating, reviewing, and/or supplementing a compliance program, including relevant policies and procedures. 
Recent False Claims Act Cases Shed Light Upon Compliance Scrutiny

Practice Management

Recent False Claims Act Cases Shed Light Upon Compliance Scrutiny:As touted by the U.S. Department of Justice (DOJ) and Members of Congress alike, including Senator Chuck Grassley (R-IA), the False Claims Act, 31 U.S.C. §§ 3729, et seq. (FCA) is the federal government's primary tool to root out fraud and put money back into the federal fisc.
HIPAA Considerations When Business Associates and Data Are International

Compliance

HIPAA Considerations When Business Associates and Data Are International:Although it is said that "business is global," there are some nuances to this blanket statement to consider when creating, receiving, maintaining, or transmitting electronic protected health information or electronic health information (PHI) internationally. Before delving into items to consider when business associates (including subcontractors) and PHI are international, it's important to appreciate that both the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) and the U.S. Department of Justice (DOJ) have the ability to enforce violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as the related Privacy Rule, Security Rule, and Breach Notification Rule.
The U.S. Government and Cooperation Credit in Relation to the False Claims Act and the Federal Anti-Kickback Statute

Practice Management

The U.S. Government and Cooperation Credit in Relation to the False Claims Act and the Federal Anti-Kickback Statute:Those familiar with the healthcare industry have no doubt learned that the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) and the U.S. Department of Justice (DOJ) have identified both the False Claims Act (FCA) and the Anti-Kickback Statute (AKS) as laws critical to thwarting fraud, waste, and abuse. Often, these two laws come together in a FCA case. 
No Surprises Act and Good Faith Estimate Considerations for Behavioral Health Providers

Practice Management

No Surprises Act and Good Faith Estimate Considerations for Behavioral Health Providers:Overview: Enacted as part of the Consolidated Appropriations Act of 2021, Pub. L. 116-260 (Dec. 27, 2020), the No Surprises Act (NSA) and the related regulations, which became effective January 1, 2022, should have a positive impact for patients.
Two Hot Ransomware Items to Watch

Compliance

Two Hot Ransomware Items to Watch:The healthcare sector continues to be a target of cybercriminals. An area that continues to emerge is ransomware as a service (RaaS)-basically the adoption of a Software as a Service model, which is subscription-based and "enables affiliates to use already-developed ransomware tools to execute ransomware attacks." 
Waiving Copays Associated with Medicare - Just as Illegal Now as it Was in 1994

Practice Management

Waiving Copays Associated with Medicare - Just as Illegal Now as it Was in 1994:On December 19, 1994, the U.S. Department of Health and Human Services, Office of Inspector General (HHS-OIG) published a Special Fraud Alert in the Federal Register related to the waiver of copays, with the intention of alerting the public about "its concern about possible widespread and abusive health care industry practices, and seeking wider dissemination of information to the general public." 
The Oft-Overlooked Federal Trade Commission's Health Breach Notification Rule Gets a Nudge

Compliance

The Oft-Overlooked Federal Trade Commission's Health Breach Notification Rule Gets a Nudge:For many, when an individual's Protected Health Information (PHI) is unlawfully accessed, the first law that comes to mind is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 
The Biggest Threat to Healthcare Cybersecurity: Telehealth

Practice Management

The Biggest Threat to Healthcare Cybersecurity: Telehealth:According to a recent study by SecurityScorecard and Dark Owl, "Telehealth systems have experienced an enormous increase in targeted attacks."
COVID-19 or Not: The Anti-Kickback Statute Remains a Tool of Choice for False Claims Act Violations

Practice Management

COVID-19 or Not: The Anti-Kickback Statute Remains a Tool of Choice for False Claims Act Violations:The COVID-19 pandemic has not diminished the focus of the U.S. Department of Justice ("DOJ") and whistleblowers, who are known as "Relators," from bringing and enforcing claims that violate both the federal Anti-Kickback Statute (AKS)   and the False Claims Act (FCA). 
Sharing of PHI with Large Tech Companies, Confidential Agreements, and HIPAA's Prohibition on the Marketing and Sale of PHI

Compliance

Sharing of PHI with Large Tech Companies, Confidential Agreements, and HIPAA's Prohibition on the Marketing and Sale of PHI:
As stated on Forbes, "The chief worry isn't about thieves getting their hands on lost or stolen devices, but the ease with which companies can gain access to the personal information."
2019 HIPAA Settlements and Take-Aways

Compliance

2019 HIPAA Settlements and Take-Aways:
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")  and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act")  are two of the pillars that form the foundation of a patient's privacy rights in relation to his/her protected health information ("PHI"), as well as the obligations of covered entities, business associates, and subcontractors to ensure the confidentiality, integrity, and availability of the data.
This is also a good time to remind providers that a deceased individual's PHI is subject to HIPAA for 50 years. 
HIPAA and Health Apps and APIs Oh My

Compliance

HIPAA and Health Apps and APIs Oh My :All this to say that technology is complex
The Importance of Being Earnest Why HIPAA and HITECH Compliance Matters

Auditing

The Importance of Being Earnest Why HIPAA and HITECH Compliance Matters:What's significant is the underlying violations of the Security Rule
Recent HHS Guidance Underscores the Importance of HIPAA Compliance

Practice Management

Recent HHS Guidance Underscores the Importance of HIPAA Compliance:Everyone who participates in the United States healthcare system either as a patient
The False Claims Act, Knowledge and the 60 Day Rule

Coding

The False Claims Act, Knowledge and the 60 Day Rule:Three important terms of the FCA
A Prescription for Start Ups Relationships with Physicians

Practice Management

A Prescription for Start Ups Relationships with Physicians:The purpose of the note is to provide an overview that educates readers
What is a Legal Hold and e Discovery Anyway

Practice Management

What is a Legal Hold and e Discovery Anyway:The transition from paper to electronic records
Update Medicare Quality Reporting Programs

Practice Management

Update Medicare Quality Reporting Programs:By now, the healthcare industry should be aware of the fundamental shift in reimbursement
Learning from Vanderbilt: Dealing with HIPAA Breaches

Compliance

Learning from Vanderbilt: Dealing with HIPAA Breaches:What did Vanderbilt announce?
HIPAA, Legal Holds, and PHI: Rachel Rose, J.D., M.B.A. With Sean McKenna, J.D., B.A.

Compliance

HIPAA, Legal Holds, and PHI: Rachel Rose, J.D., M.B.A. With Sean McKenna, J.D., B.A.:I spent almost 16 years with the federal government handling healthcare fraud matters
CMS Emergency Preparedness Rule Released - Do You Have a Plan?

Compliance

CMS Emergency Preparedness Rule Released - Do You Have a Plan?:a breach or a ransomware attack, which potentially impacts the confidentiality, integrity, or availability of the protected health information
Working From Home - Make a Security Checklist

Compliance

Working From Home - Make a Security Checklist:Regardless of the industry, the number of individuals who telecommute, at least once a week, is increasing.
What Healthcare Entities and Business Associates Can Learn From Other Government Agencies and Related Laws About Handling and Disposing of PII and PHI.

Practice Management

What Healthcare Entities and Business Associates Can Learn From Other Government Agencies and Related Laws About Handling and Disposing of PII and PHI.:One just needs to turn on the television, listen to Bloomberg, or read the U.S. Department of Health and Human Services' (HHS) Wall of Shame to hear about data breaches involving personally identifiable information (PII) and protected health information (PHI). 
Relative Value Units Important Now More Than Ever

Coding

Relative Value Units Important Now More Than Ever:In light of The Patient Protection and Affordable Care Act, the of physician groups and practices, and reimbursement issues, physicians need to appreciate what Relative Value Units (RVUs) are and how they can impact compensation.

Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA


Principal at Rachel V. Rose - Attorney at Law, PLLC

Email me

Houston, TX

 

Total articles published on BC Advantage 32

Editorial Ad

Ad pdf ad here