HHS security policies should focus on incentives, not penalties, health IT leaders say

The federal government needs to provide more resources and incentives to help healthcare organizations better protect their IT systems and data from cyberattacks, according to health IT security leaders. Currently, the Department of Health and Human Services’ privacy and security standards are too focused on compliance and are unduly punitive to healthcare provider organizations when a breach occurs, they said.  “It is vital that Congress and HHS identify a pathway for ensuring providers do not unduly shoulder the burden of protecting protected health information in situations outside their control,” wrote leaders of the College of Healthcare Information Management (CHIME) and the Association of Executives in Healthcare Information Security (AEHIS) in a letter to Sen. Mark Warner, D-Virginia. The letter, penned by CHIME president and CEO Russell Branzell and AEHIS advisory board chair Sean Murphy, was in response to Warner’s request for comment about the state of healthcare cybersecurity.