Federal regulators are again signaling that stronger cybersecurity practices could be tied to financial incentives for medical practices that participate in Medicare.

See also: Enterprise browser supporting healthcare, cyber resilience

Centers for Medicare and Medicaid Services in a short paragraph buried in a nearly 3,100-page 2025 fee schedule and payment policy rule published Friday, said regulators are considering promoting cybersecurity best practices going forward for clinicians who are eligible to participate in the CMS Merit-Based Incentive Payment System.

MIPS is a program that links Medicare payments to a physician’s performance. One component is the Interoperability Promotion Programs, or PI, a rebranding of the HITECH Act’s financial incentive program for the “meaningful use” of electronic health records. The PI program focuses on strengthening patient access to health information and electronic information sharing.

Security is not an entirely new concept for the PI program. For at least the past four years, the PI program has included a requirement that MIPS participants complete and annually certify the performance of a security risk analysis.

But additional security best practices could become part of the mix of program requirements for clinicians participating in the MIPS program, based on what CMS said in its 2025 payment policy rule.

“We want to alert readers to additional HHS resources and activities related to cybersecurity best practices, as recently summarized in an HHS strategy paper that provides an overview of HHS recommendations to assist the healthcare sector to address cyber threats,” CMS wrote in the rule.

HHS recently published a website detailing recommended cybersecurity performance goals, CMS noted. “We plan to consider how the Promoting Interoperability performance can promote cybersecurity best practices for MIPS-eligible clinicians going forward.”

HHS in a December concept paper called the “essential” 10 and the “enhanced” 10 cybersecurity performance objectives “voluntary” good practices. The same paper also suggested that best practices could become mandates for hospitals regulated by CMS financial incentives and penalties (see: Feds Wave Sticks, Carrots to Health Sector to Support Cyber).

CMS did not immediately respond to Information Security Media Group’s request for comment on potential plans for new cybersecurity measures for healthcare providers, including clinicians and hospitals.

But some experts said HHS has hinted for some time that it might raise cybersecurity expectations for health-care entities.

“HHS had predicted that in the coming years Interoperability Promotion Program measures could include some type of cybersecurity scoring,” said privacy attorney David Holtzman of the consulting firm HITprivacy. “You can think of it as a nerdy telegraph. CMS is simply sending messages that this is being considered for next year’s edition of the physician fee schedule. There really is no “no beef” to answer the question “where’s the beef?”, he said. .

Regulatory attorney Rachel Rose said some incentives for better security from healthcare entities — as well as their third parties that handle HIPAA-protected health information — already exist.

An amendment to the HITECH Act, signed into law on January 5, 2021, gives HIPAA-covered entities and business associates “the opportunity to reduce investigations and potentially reduced fines” as long as they can demonstrate they had recognized security practices. “, such as the NIST Cybersecurity Framework, in effect for 12 months.

“Some people respond to carrots and others to sticks,” she said.