By Rachel V. Rose, JD, MBA Rachel V. Rose - Attorney at Law, PLLC |
Zero Trust and the ONC-SAMHSA Initiative


Zero Trust and the ONC-SAMHSA Initiative

Date Posted: Friday, April 12, 2024


"Cybersecurity is patient safety" is a phrase that should be indoctrinated into everyone's brain in the healthcare and public health sector. The notion is highlighted by a late-January/early-February series of announcements by Lurie Children's Hospital of Chicago that the hospital went "old school," reverting to paper records and establishing a call center as part of its business continuity process in order to "protect the information of our patients, workforce, and organization at large." Subsequently, they announced that the "network was accessed by a known criminal threat actor."


As reported by Becker's Healthcare IT , "FBI Chicago is aware of the recent cybersecurity incident affecting Lurie Children's Hospital and is utilizing all available investigative tools and resources to provide assistance." An FBI spokesperson emailed   Becker's, "As always, our attention remains on ensuring the safety of our citizens and our nation's critical infrastructure."


Utilized by Senator Warner in his December 2022 White Paper and by the American Hospital Association (AHA), "Cybersecurity is patient safety" underscores the notion that optimal patient care and the avoidance of adverse patient events is intertwined with cybersecurity, which includes compliance with the Health Information Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the related Rules. As I recently wrote about in another article, in January 2024, the U.S. Department of Health and Human Services (HHS) issued its "Healthcare and Public Health Sector Specific Cybersecurity Performance Goals," which are not surprising given what is already legally required by the HIPAA Security Rule (see R.V. Rose, "HHS Cybersecurity Performance Goals Consistent With Legal Requirements, Physicians Practice," Feb. 1, 2024). Nothing surprising there.


What recently caught my attention was an article about implementing Zero Trust in healthcare and the February 5, 2024, announcement, "SAMHSA and ONC Launch Behavioral Health Information Technology Initiative." For those new to healthcare, "SAMHSA" stands for the Substance Abuse and Mental Health Services Administration, while "ONC" translates to the Office of the National Coordinator for Health Information Technology.


The purpose of this article is to provide a synopsis of Zero Trust and the Behavioral Health Initiative so that healthcare industry participants can thwart the internal and external threat hackers that seek the information because of the value of patient data.




As defined by the National Institute of Standards and Technology (NIST), Zero Trust is "a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised" (see NIST SP 800-207). Executive Order 14028, "Improving the Nation's Cybersecurity," mandates both government agency adoption of Zero Trust and compliance per FISMA. Memorandum (M 22-09) mandates that agencies achieve identified Zero Trust security goals by the end of FY 2024. The security goals are tied to the model developed by Cybersecurity and Infrastructure Security Agency (CISA) as shown in the graphic. The general areas are visibility and analytics, automation and orchestration, and governance. Governance is also now a core component of NIST's Cybersecurity Framework 2.0.



What struck me about the HealthTech article, " How Is Zero Trust Working in Healthcare Today?" (Feb. 2, 2024), follows:


  • Zero Trust can work across an entire system.
  • "While healthcare organizations are following [NIST] SP 800-207 and the Zero Trust Maturity Model from [CISA], many are still trying to implement zero-trust controls from version one of the models. Some healthcare systems are looking toward version two and beginning to address governance for each area of the model, but they're in the minority."
  • "IT teams often lose visibility of their data in the cloud or in the custody of third-party providers" and they do not have "complete visibility of their environments, including identities, devices, and data assets."
  • New solutions should not be introduced "without having a clear understanding of its control gaps, the extent to which its current solutions are deployed, and the workflows that enable its environment."


The CISA framework goes hand in hand with the NIST requirements. When conducting the requisite HIPAA Annual Risk Analysis, it is prudent to include NIST and Zero Trust requirements.


Switching gears to the ONC-SAMHSA initiative , as noted by the agencies' joint statement in "SAMHSA and ONC Launch the Behavioral Health Information Technology Initiative" (samhsa.org):


"Health IT adoption among behavioral health providers currently lags behind other providers. This is due in part to their ineligibility to participate in health IT incentive programs, such as those under the Centers for Medicare and Medicaid Services.   ONC analysis   of American Hospital Association survey data from 2019 and 2021 found that 86% of non-federal, general acute care hospitals had adopted a 2015 Edition certified EHR; in contrast, only 67% of psychiatric hospitals had adopted a 2015 Edition certified EHR. Furthermore, ONC analysis of SAMHSA   survey data   from 2020 shows that psychiatric hospitals lag even further behind in adoption of interoperability and patient engagement functions" (Feb. 5, 2024).


Over the course of the next three years of the Behavioral Health Information Technology (BHIT) Initiative pilot program, SAMHSA-specific behavioral health-specific data elements will be coordinated and explored by grant recipients using "a new USCDI+ domain for behavioral health to improve the effectiveness and reduce the costs of data capture, use, and exchange for behavioral health providers."


Overall, the objectives are summed up as follows:


"The content standards developed as part of this USCDI+ project will support capturing key behavioral health data at the point of care (e.g., depression screening) to enhance care continuity between behavioral health providers and other clinical providers caring for the same patient. This will alleviate the reporting burden experienced by SAMHSA's grantees by improving the ability of mental health and substance use treatment providers to measure, evaluate, and report on the care they provide.


In sum, continuing to keep a pulse on government initiatives, the cybersecurity threat and compliance landscape in relation to the healthcare sector, and continuing to abide by HIPAA and the related laws and rules is critical for potentially avoiding an enforcement action, False Claims Act case, or cyberattack, as well as for ensuring patient safety.




To bring it full circle, taking a patient-first approach is beneficial not only for clinical outcomes but for the safety of patient information and the various processes within a hospital, medical device transmission, and revenue cycle management. Spending adequate resources on the front end can mitigate potentially substantial expenditures on the back end and avoid legal, financial, and reputational damage.


Rachel V. Rose, JD, MBA


Ms. Rose has a unique background, having worked in many different facets of healthcare throughout her career including: work in acute care hospitals including the operating room and dietary department; consultative work as a top performing representative for the pharmaceutical and medical device industry; work for the Chairman of the Reform and Oversight Committee on Capitol Hill; intern at the Department of Health and Human Services; and compiling policy papers at the Royal College of Nursing in London. She has worked on Wall Street and at one of the Big Four consulting firms.


Rachel V. Rose – Attorney at Law, PLLC - Home (rvrose.com)





Search BCA Magazine

Search here

List Articles

Select below

Editorial Board

Rose, JD, MBA

Rachel V. Rose, JD, MBA

Rachel V. Rose - Attorney at Law, PLLC