Federal regulators are again signaling that stronger cybersecurity practices could be linked to financial incentives for physician practices that participate in Medicare.

See also: Enterprise Browser to Support Healthcare and Cyber ​​Resilience

The Centers for Medicare and Medicaid Services buried a short paragraph in its nearly 3,100-page 2025 fee schedule and payment policy rule Regulators are considering encouraging cybersecurity best practices for clinicians eligible to participate in the CMS Merit-Based Incentive Payment System in the future, a report released Friday said.

MIPS is a program that ties Medicare payments to a doctor’s performance. One component is Promoting Interoperability programs, or PI, which is a rebranding of the HITECH Act’s financial incentive program for “meaningful use” of electronic health records. The PI program focuses on supporting patient access to and electronic exchange of health information.

Security is not a completely new concept for the PI program. For at least the last four years, the PI program has included a requirement that MIPS participants annually complete a security risk analysis and approve execution.

But additional security best practices could become part of the program’s mix of requirements for clinicians participating in the MIPS program, CMS said in its 2025 payment policy rule.

“We want to alert readers to additional HHS resources and activities related to cybersecurity best practices, as recently outlined in an HHS strategy document that provides an overview of HHS recommendations to help the healthcare industry address cyber threats,” CMS wrote in the rule.

HHS recently issued a website CMS detailed the proposed cybersecurity performance targets. “We intend to evaluate how Supporting Interoperability performance can support cybersecurity best practices for MIPS-eligible clinicians in the future.”

HHS in December concept document He called 10 “basic” and 10 “improved” cyber security performance targets “voluntary” best practices. The same document also hinted that best practices could become mandatory for hospitals regulated through CMS financial incentives and penalties (see: Feds Shake Sticks and Carrots at Healthcare to Strengthen Cyber).

CMS did not immediately respond to a request from the Information Security Media Group for comment on potential plans for new cybersecurity measures for healthcare providers, including clinicians and hospitals.

But some experts said HHS has been hinting for some time that it might raise cybersecurity expectations for healthcare organizations.

“HHS has anticipated that Interoperability Promotion Program measures may include some form of scoring for cybersecurity in the coming years,” said privacy attorney David Holtzman of the consulting firm HITprivacy. “You can think of it as a cow telegram. It’s a message from CMS letting them know they’re considering this for next year’s edition of the physician fee schedule. ‘Where’s the beef?’ “There’s really no such thing as ‘no beef’ to answer the question,” he said. .

Regulatory attorney Rachel Rose said some incentives already exist for healthcare industry organizations and third parties that handle HIPAA-protected health information to provide better security.

An amendment to the HITECH Act, signed into law on January 5, 2021, provides HIPAA-covered entities and their business partners with the “opportunity to shorten investigations and reduce potential penalties” as long as they can demonstrate that they have recognized security practices, such as the NIST Cybersecurity Framework, which is in effect for 12 months.

“Some people respond to carrots, some respond to sticks,” he said.