Skip to main content

EMS.gov | HHS Announces New Performance Goals to Enhance Cybersecurity

EMS News

HHS Announces New Cybersecurity Performance Goals to Enhance Cybersecurity

The U.S. Department of Health and Human Services (HHS), through the Administration for Strategic Preparedness and Response (ASPR), announced on January 24, 2024, the release of new voluntary Cybersecurity Performance Goals (CPGs). These guidelines are specifically designed for the Health Care and Public Health (HPH) sector. Additionally, HHS launched a gateway website to streamline the implementation of these cybersecurity measures and facilitate access to extensive resources provided by HHS and its federal partners.

The HPH CPGs are designed to better protect the healthcare sector from cyberattacks, improve response when events occur and minimize residual risk. HPH CPGs include both essential goals to outline minimum foundational practices for cybersecurity performance and enhanced goals to encourage adoption of more advanced practices.

View Resource

As healthcare continues to embrace digital transformation, the importance of cybersecurity has never been more critical. We urge the EMS community to engage with this significant development. The new CPGs represent a proactive step by ASPR and HHS to fortify the healthcare sector’s defenses against cyber threats.

Sign up to receive the latest news from the Office of EMS, including webinars, newsletters and industry updates.

Contact Us

1200 New Jersey Avenue, SE
Washington, DC 20590
nhtsa.ems@dot.gov

Webinar | HHS Roadmap for Cybersecurity in Health Care

On Wednesday, December 6, 2023, the Department of Health and Human Services (HHS) Office of Intergovernmental Affairs (IEA) will host a webinar on healthcare sector cybersecurity from 4:30 p.m. to 5:00 p.m. EST.  HHS IEA stated speakers will discuss “the Department’s roadmap for cybersecurity in health care and answer questions on how HHS can help protect patient safety, secure our hospitals, and improve cyber resiliency in health care.”

HHS IEA indicated the event will feature the following speakers:

  • HHS Deputy Secretary Andrea Palm; and
  • Speakers from the Administration of Strategic Preparedness and Response (ASPR).

Registration for the event can be found at:  Webinar Registration.

HIPAA and Mobile Devices: What Your Service Needs to Know

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.

This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.

While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.

The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.

The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.

These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.

  • All mobile devices that can access PHI must have full-disc encryption. Additionally, all devices should be routinely backed-up on encrypted servers. In the event that a device is lost or stolen, full-disc encryption will keep hackers or thieves from accessing sensitive health data.
  • Your organization should have HIPAA policies and procedures in place pertaining to mobile devices taken “off-site.” This would necessarily include all laptops, tablets, and smartphones with access to PHI that are used in pre-hospital care in an ambulance. By outlining when devices are permitted to be used, who is permitted to use them, and how they are to be handled in off-site settings, your organization will mitigate the risk to PHI stored on these devices.
  • Keep a full inventory of all devices within your organization that can access or handle PHI in any way. Routine check-ups on the condition and location of devices listed in your inventory will help ensure that devices are not misplaced. And in the event that a device is misplaced or stolen, organization officials will notice as soon as the inventory is reviewed so that action can be taken to remedy the breach.
  • Access to PHI on mobile devices and in pre-hospital settings should be limited only to essential members of the organization’s workforce. This is known as the Minimum Necessary Standard. It’s a part of the HIPAA Privacy Rule that states that access to PHI must be limited based on employees’ roles, and that when access is granted, it should be limited to the minimum access necessary for each employee to perform their role.

These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.

In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.

Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.

5 Can’t-Miss EMS Podcasts

Podcasts are a great way to gain information and insight on a variety of topics.  With the intimidating number of podcasts on the topic of EMS and leadership available, it can take a bit of time to find the one that’s right for you.  I have been a fan of podcasts for several years now, and while some of my favorites have dropped off over the years, I am certain there are many new favorites out there waiting to be discovered.

If you’re not yet listening to podcasts, I encourage you to start exploring – here is a quick list of some of my current favorites in EMS and leadership to get you started. (* We’ve included links are iTunes, but these podcasts can be found on just about any podcast service.)

  1. Prehospital Emergency Care Podcast
    This is a newer podcast, and quickly landed on my subscribed list for the obvious reason; it is the official podcast for the NAEMSP. The first few episodes were recorded during the most recent NAEMSP annual meeting, in the most recent the hosts spend time interviewing authors of studies published in the PEC journal, discussing results questioning when, and how, changes should be implemented based on those results.  I’ve been able to make the NAEMSP conference a few times, and it is truly enjoyable.  This podcast is a nice way to keep up on the research and recommendations coming from the NAEMSP.
  2. EMJ Podcast
    This podcast discusses the research published in the Emergency Medicine Journal (EMJ) and is a great listen, in my opinion. The hosts are easy to listen to and the way they discuss the research and potential application is thought provoking, particularly given the international perspective.
  3. CPR Podcast
    This podcast is a little bit of everything in EMS. While most of the episodes seem to have a clinical education spin, others delve into some standard practice, leadership, and provider health and safety topics as well.  The conversations are well planned without seeming overly rehearsed which ads a measure of sincerity to the commentary.
  4. Dear HBR
    This is a newer podcast and is produced by the Harvard Business Review.  While not directly related to EMS, there is value for EMS listeners.  Individuals write to the show and ask questions – many of which are about how to handle conflicts or difficult situations in the workplace – and the hosts discuss the question at hand and the advice they might give the individual based on personal experience and available research.  There is so much we can learn through the experience of others, and this is a good way to compare our own experience with the experience of others, and perhaps walk away with some good advice.
  5. EM Weekly
    This focus of this podcast is emergency management (EM), but the discussion topics span everything from tactical planning to leadership and future possibilities. The host and guests mix in a bit of the history of EM throughout the episodes which helps provide perspective and understanding of the evolution of emergency management over time, and ideas for the future.

Editor’s Note

Samantha Hilker, author of this article, is the host of the excellent EMS in Wisconsin podcast created by the Professional Ambulance Association of Wisconsin. Don’t miss it!

Patient Satisfaction and the Collections Conundrum

Emergency Strikes

The year was 2001—seems like a distant memory. Expecting our first child, my wife and I were living in Modesto, California, thinking about cradles and nurseries. We were so excited—the little one we’d been expecting was on his way! Excitement quickly changed to deep concern as we learned there were some major complications with the pregnancy and our baby was in serious jeopardy. Life’s pause button was pushed as everything else in the world came to a screeching halt.

An ambulance transport and emergency delivery later, we found ourselves in our new home—the neonatal intensive care unit. For the next four months, we worked with medical teams around the clock to slowly usher our new 1-pound, 4-ounce son, Noah (now 15 years old), into the world.

Financial Domino Effects

This was an incredibly stressful time in our lives. Of all the things that burdened us, one of the most memorable was the nearly $5,000 invoice we received for a specific service. With no clue how we would pay this, I finally worked up the courage to pick up the phone and call the number on the invoice. The provider was demanding immediate payment before sending the bill to collections.

Me? Collections? But I’m the good guy, right? People should be reaching out to care for me. What just happened? After days of multiple information exchanges between me, the billing office and my insurance carrier, we finally figured it out—all charges were to be covered by insurance.

While our care through this time was generally very good, this unexpected charge put a cloud over the provider who lacked the proper information—despite a 120-day inpatient stay. Why did the provider send our bill to collections without contacting us? Where was the disconnect? Does this still happen today?

Fast Forward 15 Years to Smarter Billing and Collections

Sadly, this is not an isolated incident. Everyone knows a person with a similar story. But what if this patient billing story could be different? What if instead of multiple collection agency invoices demanding payment, I had been contacted early in the process? Or better yet, what if everything had occurred behind the scenes between provider and payor?

Technology advancements have narrowed the data gap that created these and other tensions for patients, providers and insurance carriers. Health care providers today can better serve their patients and communities through technology. The systems required to instantly supply insurance information and ensure patient-friendly billing are now available. It’s a matter of awareness and investment. Two key technology strategies are rapidly emerging to make collection letters and calls a thing of the past.

Real-Time Insurance Discovery

Insurance discovery solutions help providers find hidden insurance coverage for patients up front versus after the fact. Especially in emergency or self-pay situations, patients may have coverage the provider doesn’t know about. Finding coverage provides a tremendous boost to patient satisfaction and financial engagement.

For providers, finding and securing coverage early in the encounter helps billing teams circumvent months of patient statement and collection efforts. Operational costs are reduced and payor reimbursement is hastened. Best practices are rapidly emerging on how to incorporate real-time insurance discovery within patient registration and billing workflows.

Payment Likelihood Determinations

Where insurance coverage can’t be found or high deductibles result in exorbitant patient financial responsibilities, checking “payability” becomes crucial. Patients with minimal cash reserves or low propensity to pay can be moved to charity care, Medicaid, or account write-off. Families likely to qualify for financial assistance are also quickly identified by using payment likelihood applications.

Billers and collectors are more efficient and effective without damaging patient relations or community reputation. It is often a smarter long-term decision to write off patient balances in those cases where personal bankruptcy is only one medical bill away.

Proactive financial engagement, insurance discovery and smart collections are in the early stages in healthcare. However, provider organizations that embrace more patient-friendly billing strategies can significantly promote patient satisfaction and long-term community benefits.

Ted Williams has been a featured presenter at regional and national EMS conferences, including the state medical associations, ambulance networks, and technology user group conferences. Williams is a founder of Payor Logic, a national provider of healthcare revenue cycle solutions.

Stay In Touch!

By signing up, you agree to the AAA Privacy Policy & Terms of Use