We need to create a legal framework that recognizes the public safety interest in the continued reliability, safety, and stability of health care technology companies' operations. If Change Healthcare were Change Airlines and regulated accordingly, there would be an investigation by the National Transportation Safety Board into the attack on its systems and the circumstances leading to its outage.
Just as first responders are mobilized in response to natural disasters, a national cyber disaster response team should be established to oversee and assist in restoring services after such attacks. Defined financial and regulatory relief for health care providers in response to significant outages in medical technology services and requirements for insurance companies to pay for prescriptions and treatments performed in good faith. An existing framework is required.
The healthcare technology industry is likely to resist the prospect of additional regulation. However, the industry benefited immensely when the government granted it a captive market in 2009. The Health Information Technology for Economic and Clinical Health Act was intended to increase the number of software and technology jobs while improving the quality, safety, and efficiency of health care. Care. This law provided financial incentives for doctors and hospitals to use electronic medical records systems, and subsequent penalties for failure to use these systems. We expect a high level of accountability from healthcare providers, but HITECH required healthcare providers to rely on companies that do not have the same level of public accountability. It's time to change that.
Kathleen Gould, Oak Park, Illinois
The devastation to healthcare providers large and small and their patients caused by the cyberattack on UnitedHealth Group's subsidiary should give us all pause.
Cyber events, such as ransomware attacks by terrorist attackers, are an ongoing danger to the healthcare ecosystem. Even the best information technology systems in the country cannot avoid this, because human error, such as a well-meaning employee clicking on a link while reading an e-mail message, is inevitable in any business environment. Such intrusions cannot be completely prevented.
This does not mean that organizations cannot prepare for such attacks. Maximize redundancy. Build multiple offsite continuous data backups. Have emergency resources on hand, including funds to advance payments to customers and clients. And most importantly, build a crisis communications plan, especially for the largest cyber events.
The rest of us also need to consider the downside of a single healthcare company becoming so large that the disruption of its technology could harm far too many healthcare providers and patients.
David A. Ball, Newton, Massachusetts