OUTLOOK 2016: Cybersecurity to Become Main IT Concern for Hospitals

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

By Alex Ruoff

Health-care organizations in 2016 will be focused on improving cybersecurity and preparing for changes to Medicare's quality incentive programs, industry observers told Bloomberg BNA.

Health-care organizations became a major target for cybercriminals in 2015, a trend that will likely force hospitals and providers to spend an estimated $1 billion on cybersecurity measures in the coming year. Four of the five largest breaches in the HHS Office for Civil Rights database of health data breaches occurred in 2015.

In addition to cybersecurity, the meaningful use program will continue to be a top health IT concern for health-care organizations.

Industry groups are expected to continue to lobby for changes to the federal electronic health record program, particularly for a delay to Stage 3 and blanket hardship exceptions for the health-care providers and hospitals that failed to meet the program's requirements in 2015.


Cyberattacks on health-care organizations reached an all-time high in 2015 and aren't expected to slow down in 2016, Harry Greenspun, director for Deloitte's Center for Health Solutions, told Bloomberg BNA.

The value of health information for hackers is set to rise even as the value of other types of personal information falls in the coming year, Greenspun said. This will create an incentive for cybercriminals to continue to target health-care institutions, he said.

“As the black market value of health information continues to rise, so will attempts to hack into those systems,” Greenspun said. “With expanding networks and partnerships, new vulnerabilities will appear, requiring companies to redouble their efforts and adopt new, more agile ways of protecting data. Those that lag behind face significant financial and reputational risk.”

In response, health-care organizations are expected to spend more than $1 billion on cybersecurity preparation in 2016, according to a survey of health-care executives by the Healthcare Information and Management Systems Society.

The survey found that more health-care companies than ever are preparing for cyberattack. Nearly 90 percent said information security had become a critical business priority for them.

Congressional Response

Federal lawmakers are also expected to take more interest in cybersecurity, particularly related to health-care and medical identity fraud, in 2016.

The 2016 federal budget requires the Department of Health and Human Services to create a taskforce to analyze how industries other than health care have combated cybersecurity threats. The group would be required to publish a report on these threats one year after the bill is passed.

The bill also requires the HHS to work with homeland security officials to create a set of “industry-led guidelines, best practices” and processes for improving health-care organizations' cybersecurity.

Samantha Burch, senior director of congressional affairs for HIMSS, told Bloomberg BNA that the cybersecurity provisions of the budget bill aren't a “silver bullet solution” to the cybersecurity issues health-care organizations face. Rather, she said, the bill will focus HHS and industry efforts.

“I think a major benefit will be having a single pipeline for sharing cyberthreat data,” Burch said.

Lawmakers in the Senate are also mulling ways to improve the federal government's response to instances of medical identity theft, a staff member of the Senate Finance Committee told Bloomberg BNA.

Republican and Democratic leaders of the committees on Finance and Health, Education, Labor and Pensions questioned HHS officials in November about how they're tracking medical identity theft reports and supporting law enforcement agencies in responding to instances of medical identity theft. The lawmakers also questioned how current federal privacy laws combat medical identity theft. (see previous article)

The Finance Committee is particularly interested in ways the HHS could strengthen its reporting of health data breaches and assistance to those affected by medical identity theft.

Burch said Congress is increasingly taking an interest in health IT issues because lawmakers are starting to see the technology as critical to health-care reform.

“Congress is focused on health IT and health in a way it hasn't since the passage of HITECH,” Burch said, referring to the Health Information Technology for Economic and Clinical Health Act.

Meaningful Use

Despite calls from the industry for an overhaul, health IT industry observers said it's unlikely the CMS will make major changes to the meaningful use program in 2016.

“My prediction is that MU in 2016 will remain on track and more or less unchanged,” Jim Oakes, an executive consultant with Arlington Health Group, told Bloomberg BNA.

The American Medical Association and the American Hospital Association, which collectively represent the bulk of the country's doctors and hospitals, asked the CMS in December 2015 to shorten the meaningful use program's reporting periods and remove its “all or nothing” approach.

The AMA told Bloomberg BNA it plans to continue its Break the Red Tape campaign, focused on getting support from federal lawmakers to delay the final stage of the meaningful use program, set to begin in 2017.

One key AMA request—that the CMS be empowered to grant blanket hardship exceptions for providers who failed to meet the requirements of the meaningful use program—was granted late in 2015 (see previous article).

Congress Dec. 18, 2015, passed the Patient Access and Medicare Protection Act, which gave the CMS the ability to create automatic exceptions from Medicare penalties for failing to comply with the meaningful use program. Currently, the CMS can only approve hardship exceptions on a case-by-case basis, making it difficult for providers and hospitals in the program to know ahead of time whether they'll be hit with a Medicare penalty.

A blanket hardship exception would allow providers that struggled to meet requirements of the meaningful use program in 2015 to avoid a Medicare reimbursement penalty, the AMA said.

Oakes said there's not enough support in Congress for other major changes to the meaningful use program. However, he said he expects lawmakers to “exhibit more and more concern” about the meaningful use program to pressure the CMS to make changes.

This concern is likely to be prompted by an expected increase in dropouts from the meaningful use program, Oakes said.

Industry groups, such as the AHA and Medical Group Management Association have warned that many hospitals and providers still aren't ready to meet the requirements of Stage 2 of the meaningful use program and are likely to file for hardship exemptions to avoid Medicare reimbursement penalties for failing to comply with program requirements (see previous article).

Participation in the meaningful use program peaked in 2014, with 305,018 providers and 4,379 hospitals collecting Medicare or Medicaid incentive payments through the program (see previous article).

However, industry researchers said participation only surged because CMS late in 2014 issued a final rule that allowed providers and hospitals to stay in Stage 1 of the program. Many have said there's little evidence that providers and hospitals will be better prepared to tackle the challenges of Stage 2.

Consumer Engagement

While hospitals push to lessen the requirements of Stage 2 and delay Stage 3, consumer advocates will counter with a push to keep the meaningful use program's patient and consumer engagement requirements.

Shannah Koss, a health policy consultant and president of Koss on Care LLC, told Bloomberg BNA that this “continued watering down of consumer engagement” would be the only major change for the program.

The CMS's final rule establishing Stage 3 requirements also eased a controversial requirement that hospitals and health-care providers in Stage 2 of the meaningful use program get a portion of their patients to download a copy of their health record through a patient portal.

Stage 2 originally required providers and hospitals to get 5 percent of their patients to download a copy of their health record through a patient portal. The CMS's final rule dropped that requirement to just a single patient in 2015 and 2016 but restored it to 5 percent of all patients for 2017.

A consortium of patient advocacy groups will work in 2016 to ensure the CMS doesn't continue to reduce this requirement.

The Consumer Partnership for eHealth told the CMS in a Dec. 15, 2015, letter they're concerned about the “chilling effect” of lowering patient engagement requirements.

The group said these requirements are “critical to prepare for an effective transition into new models of payment and delivery in 2018.”

“Patients need tools to set health care goals, make informed decisions and communicate with providers and this is where health IT makes a critical difference: It helps connect 21st century patients with 21st century care,” Deborah Ness, president of the National Partnership for Woman & Families, said in a statement.

New Payment Models

However, Greenspun told Bloomberg BNA there remains a gap between health-care organizations with the resources to install these new technologies and those that do not. He said wealthier organizations will adopt new technologies and payment models faster and thrive under Stage 2 and Stage 3 of the meaningful use program.

“The adoption of population health and value-based care is pretty spotty around the country,” Greenspun said. “I think in the next couple of years, starting next year, we'll see pockets of great alignment and adoption and some pretty drastic misalignment with meaningful use.”

The CMS expects 30 percent of Medicare payments to be linked to “alternative payment models,” namely accountable care organizations, the agency announced early in 2015. However, the CMS does expect 85 percent of all its fee-for-service payments to be based on the quality of efficiency of health-care delivery in 2016.


The Office of the National Coordinator for Health IT has pointed to 2016 as a pivotal year in its effort to improve the interoperability of health IT systems.

Karen DeSalvo, the national coordinator for health IT, said Dec. 8, 2015, she wants to connect the more than 50 regional health information exchanges around the country to facilitate the nationwide exchange of patient records.

Paul Uhrig, executive vice president and chief administrative, legal and privacy officer for health IT developer Surescripts, told Bloomberg BNA that private exchange efforts will likely lead the charge on improving the interoperability of electronic health records in 2016. Surescripts operates the country's largest electronic prescribing network, connecting roughly 900,000 health-care providers.

Surescripts, along with EHR giants Epic Systems and Greenway, plan to premiere a record locator service early in 2016. The service will allow doctors to more easily find patient records held by other doctors, he said.

“This is capability we have in our network we're looking to expand,” Uhrig said.

The CommonWell Health Alliance, a coalition of EHR vendors Cerner, athenahealth and others, also opened record-sharing services at 1,200 health-care organizations in 2015 and hopes to expand to 6,000 in the coming year, the group announced Dec. 17, 2015.

To contact the reporter on this story: Alex Ruoff in Washington at aruoff@bna.com

To contact the editor responsible for this story: Patty Logan at plogan@bna.com