Webinars & Member Engagement | |
|
Regional Roundup Recap
Key Takeaway: On Wednesday, April 10th CHIME hosted a Regional Roundup in the Washington, DC area with participation by local members and the Public Policy team.
Why It Matters: The event, hosted by Scott MacLean, SVP and CIO, Medstar Health & CHIME’s Board chair, was sponsored by AHEAD, Clearsense, and Zscaler. It featured a riveting panel discussion on AI featuring members Matt Kull, Chief Information and Digital Officer, Inova Health; Tressa Springman, CIO and Chief Digital Officer, Lifebridge Health; and Alaap Shah, Partner, Epstein Becker & Green.
| |
|
Baldrige Award
Key Takeaway: We are proud to announce that last week, Mari Savickis, the Vice President of Public Policy for CHIME, was presented with the Malcolm Baldrige Foundation Awards for Leadership Excellence in Cybersecurity. Mari was among others honored for her work. Check out the CHIME press release here.
Why It Matters: The Leadership Excellence in Cybersecurity Award highlighted the critical role of safeguarding our healthcare systems and the well-being of patients globally. This prestigious award is testimony to the work that goes on behind the scenes in Washington, advocating for our members on policies that help providers deliver patient care safely and securely.
| |
|
CHIME Board Chair to Testify Before Congress
Key Takeaway: CHIME Board Chair, Scott MacLean, has been invited to testify before the House Energy & Commerce Health Subcommittee on Tuesday, April 16th at 10:00 a.m. ET on the topic of cybersecurity. The hearing will be live streamed here.
Why It Matters: Scott will join several other panelists to deliver testimony on a hearing entitled, “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack.” He will be joined by the following other witnesses:
- Greg Garcia, Executive Director for Cybersecurity, Healthcare Sector Coordinating Council
- Robert Sheldon, Senior Director of Public Policy and Strategy, CrowdStrike
- John Riggi, National Advisor for Cybersecurity and Risk, American Hospital Association
- Dr. Adam Bruggeman, MD, Orthopedic Surgeon, Texas Spine Center
| |
|
Privacy Draft Bill Released
Key Takeaway: House Energy and Commerce (E&C) Committee Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce Committee Chair Maria Cantwell (D-WA) released the American Privacy Rights Act of 2024, a draft bill that establishes a national data privacy framework.
Why It Matters: The draft bill is the first meaningful piece of comprehensive privacy legislation in the 118th Congress. It attempts to address what some lawmakers perceived as shortcomings with the American Data Privacy and Protection Act (ADPPA) introduced in the last Congress by the previous Energy & Commerce Chair, Frank Pallone (D-NJ) in 2022. Chair Cantwell was among the critics of the ADPPA for “weak enforcement provisions” and thus her co-sponsorship for the new bill has been critical.
The bi-cameral, bi-partisan draft bill represents months of negotiation intended to iron out differences left unresolved in the earlier bill including establishing a higher compliance bar than existing state laws by removing the “patchwork” effect, permitting those who feel their privacy rights have been violated to file private rights of action, and greater enforcement by the Federal Trade Commission (FTC).
With Energy & Commerce Chair McMorris Rogers set to retire at the end of this year, ranking member Pallone indicating a willingness to resolve any remaining issues, and Chair Cantell a co-sponsor, this is the best chance national privacy legislation has had to succeed. That said, many obstacles still must be cleared before this could happen including only a few months until year’s end and other competing Congressional priorities.
You can find a detailed memo comparing the ADPPA to the APRA of 2024 here.
| |
|
E&C Telehealth Hearing
Key Takeaway: Last week, the E&C Subcommittee on Health held a hearing titled "Legislative Proposals to Support Patient Access to Telehealth Services.” Fifteen bills were discussed, most notably two that CHIME supports: The Telehealth Modernization Act of 2024 (H.R. 7623) and the Creating Opportunities Now for Necessary and Effective Care Technologies (CONNECT) for Health Act of 2023 (H.R. 4189).
Why It Matters: Flexibilities established during the pandemic are scheduled to end on December 31st unless Congress acts. The purpose of the hearing was to examine a range of proposals that would bolster access to telehealth services. Lawmakers recognize the value of telehealth and its flexibilities, with several members of the Subcommittee calling for permanent extension of these provisions through the passage of the Telehealth Modernization Act.
| |
|
IPPS Proposed Rule Published
Key Takeaway: The Centers for Medicare & Medicaid Services (CMS) has issued their fiscal year (FY) 2025 Medicare hospital inpatient prospective payment system (IPPS) and long-term care hospital prospective payment system (LTCH PPS) proposed rule. Find the rule here and the fact sheet here. Keep an eye out for a cheat sheet from us soon!
Why It Matters: The IPPS / LTCH is the first of many payment rules to be published by CMS annually. CMS has proposed several policies for hospitals in the rule including a payment update of 2.6 percent for acute hospitals and increase of 2.8 percent for LTCHs.
Among the policies proposed in the 1,902-page rule are changes to the Promoting Interoperability program and the electronic clinical quality measures. (eCQM). They call for:
- Separating one existing measure related to antimicrobial use and resistance into two measures;
- Adopting two new eCQMs related to hospital harm;
- Modifying the eCQM related to the Global Malnutrition Composite Score;
- Increasing the total number of mandatory eCQMs reported by hospitals over two years;
- Increasing the performance-based scoring threshold for hospitals for the Medicare Promoting Interoperability Program from 60 points to 80 points beginning in calendar year 2025.
CMS is also issuing a request for information (RFI) describing goals and principles for the Medicare Promoting Interoperability Program’s Public Health and Clinical Data Reporting objective. And, the agency has also proposed a new mandatory payment model, Transforming Episode Accountability Model (TEAM) aimed at ensuring that people with Medicare receive coordinated, high-quality care during and after certain surgical procedures. Details here.
| |
|
HC3 Analyst Note on Top 10 Most Active Ransomware Groups
Key Takeaway: The Health Sector Cybersecurity Coordination Center (HC3) released an analyst note on its top 10 most active ransomware groups, including LockBit 3.0, ALPHV (also known as Blackcat), BianLian, and more. This report offers high-level insights into the ransomware groups that HC3 has observed targeting the healthcare sector.
Why It Matters: In the past couple of months, HC3 has tracked 730 attacks against the Healthcare and Public Health (HPH) sector worldwide. Among these incidents, more than 530 affected the U.S. HPH, and nearly half of those attacks were ransomware related. HC3 urges organizations to review the note and stay updated on the latest ransomware threats.
| |
|
HC3 Vulnerability Bulletin for March 2024
Key Takeaway: HC3 has released their vulnerability bulletin for last month which details vulnerabilities to the healthcare sector that require attention. The listed vulnerabilities include those from Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian.
Why It Matters: The bulletin includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.
| |
|
CISA Malware Analysis Tool
Key Takeaway: The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new malware analysis system, called Malware Next-Gen. This system enables organizations to submit malware samples for analysis. CISA aims to better support organizations through the system by automating the analysis of newly identified malware and enhancing cyber defense efforts.
Why It Matters: Malware Next-Gen is an advanced automated analysis system that helps CISA better analyze potentially malicious files or uniform resource locators (URLs). Since November, almost 400 registered users have submitted over 1,600 files, identifying about 200 suspicious or malicious files and URLs. The system facilitates a quick and effective response to evolving cyber threats, safeguarding critical systems. CISA encourages organizations to register and submit suspected malware into the system for analysis. For more information, read here.
| |
|
405(d) and CISA Hold Webinar on Priority Communications
Key Takeaway: The Health and Human Services (HHS) 405(d) Program and CISA hosted a webinar discussing CISA’s Priority Telecommunication Services. Priority communications are crucial for maintaining operations during conditions such as weather events, cyber-attacks, or human error. You can watch the recording here and download the slides here.
Why It Matters: It is essential for everyone in all sixteen critical infrastructure sectors to communicate effectively when there are issues with telecommunications networks. CISA offers various services that provide priority communication capabilities, such as the Government Emergency Telecommunications Service (GETS), Wireless Priority Service (WPS), and Telecommunications Service Priority (TSP).
| |
|
CISA Issues Emergency Directive on Compromise of Microsoft Emails
Key Takeaway: CISA recently issued Emergency Directive (ED) 24-02, which addresses the campaign by Russian state-sponsored cyber actor Midnight Blizzard to exfiltrate email correspondence of Federal Civilian Executive Branch (FCEB) agencies through compromising Microsoft corporate email accounts. Check out the directive here.
Why It Matters: While the ED is issued for federal agencies, other organizations may be impacted. ED 24-02 requires FCEB agencies to analyze the content of stolen emails, reset compromised credentials, and secure privileged Microsoft Azure accounts. CISA encourages all organizations to take precautionary security measures, including using strong passwords, implementing multifactor authentication (MFA), and prohibiting the sharing of unprotected sensitive information via unsecured channels to mitigate this risk.
| |
|
Data Compromise of Sisense Customers
Key Takeaway: CISA is collaborating with private industry partners to respond to a data compromise impacting Sisense. This company provides data analytics services, and a breach of their customer data has been discovered. Read more here.
Why It Matters: CISA is urging Sisense customers to reset credentials that may have been exposed to or used to access Sisense services. They are also encouraging customers to investigate and report any suspicious activities involving exposed credentials from Sisense services.
| |
College of Healthcare Information Management Executives (CHIME)
| | | | |
