View Full Version Here HSCC Applauds Stark Waiver for Cyber Assistance to Health Systems

Healthcare Industry Applauds HHS Rule to

Permit Cybersecurity Assistance to Health Providers

Waiver of Anti-kickback Regulation Recognizes New Era of Cyber Threats to Patient Safety


Washington, DC – October 9, 2019 – Today the U.S. Department of Health and Human Services issued rules that would permit the donation of cybersecurity technology and assistance to under-resourced health systems without violating outdated Stark and Anti-Kickback statutes.

The healthcare sector applauded the move.  “This progressive change shows that HHS takes healthcare cybersecurity seriously,” said Terry Rice, a member of the 2017 Healthcare Industry Cybersecurity (HCIC) Task Force, appointed by HHS at the direction of the Cyber Security Act of 2015. This waiver of the Stark and Anti-Kickback Statutes was a key recommendation made by the HCIC.  Rice now serves as the Chair of the Healthcare and Public Health Sector Coordinating Council (HSCC) Joint Cybersecurity Working Group.

In 2018, the HSCC echoed the HCIC Task Force recommendation with a letter to the HHS Inspector General and another to the Center for Medicare and Medicaid (CMS). The HSCC argued that, since the enactment of the Stark and Anti-Kickback statutes, the healthcare system has evolved into a vastly different network that is heavily dependent upon data being stored and moved electronically.  “Now, as cyber attacks have become more sophisticated, the healthcare sector is a prime target for ransomware, data theft and operational disruption,” said Greg Garcia, the executive director of the HSCC’s Joint Cybersecurity Working Group.  “The growth of digitized medicine and connected devices has expanded the threat against providers that are ill-equipped to combat the escalating severity of cyberattacks. Of critical importance is that these risks pose serious threats to patient safety, so any cybersecurity assistance to health providers can only accrue to the benefit of patient health and safety.”

Rice concluded that “HHS heard us and responded affirmatively, and did so during National Cyber Security Awareness Month for good measure.  This demonstrates that the public private partnership is working well to improve the security and resiliency of the health system and patients against cyber threats.”

About the HSCC Joint Cybersecurity Working Group

The Healthcare and Public Health Sector Coordinating Council (HSCC) is a coalition of private-sector, critical healthcare infrastructure entities organized under Presidential Policy Directive 21 and the National Infrastructure Protection Plan to partner with government in the identification and mitigation of strategic threats and vulnerabilities facing the sector’s ability to deliver services and assets to the public.  The HSCC Joint Cybersecurity Working Group (JCWG) is a standing working group of the HSCC, composed of more than 200 industry and government organizations working together to develop strategies to address emerging and ongoing cybersecurity challenges to the health sector.