Congress gets detailed advice on cybersecurity from the AAFP
“The AAFP has long supported policies that ensure appropriate security of protected health information while working to improve patients’ access to their data, as well as the ability to share patients’ health information across the care team,” the previous letter states. “We strongly support making data reliably interoperable while preserving patient confidentiality and the fundamental right to privacy.”
“The rapid transition into this electronic age of healthcare has made the threat of cyber-attacks unavoidable to all healthcare organizations,” the academy wrote. Noting that more than 45 million people “were affected by cybersecurity attacks on healthcare professionals in 2021,” the letter added that while the privacy and security of patient health data is a top priority for physicians’ practices, “not all have the resources, financial capacity or The technical knowledge needed to properly establish and implement best practices in cybersecurity.”
AAFP Policy Guidelines
“Congress should encourage the Office of the National Coordinator for Health Information Technology to consider including cybersecurity framework best practices in health information technology certification as one strategy for achieving industry-wide adoption of standard best practices,” the academy told Warner’s office. “If all electronic health record vendors were required to integrate these practices into their technology, this would enable smaller clinician practices who purchase and use their own software and systems but lack the IT resources of their own to take advantage of basic cybersecurity protections.
In the meantime, the AAFP recommends that Congress consider ways to encourage all health entities to adopt voluntary guidance from the National Institute of Standards and Technology, with technical assistance and support for effective implementation in real-world settings.
Other recommendations made by the Academy included:
- Workforce development program to address Major shortage of healthcare cyber security personnel By offering incentives for these professionals to work in independent and small rural practices, those in disadvantaged communities, and communities with a shortage of health professionals, similar to the ONC Regional Extension Center Program;
- student loan forgiveness or repayment programs that would allow cybersecurity professionals to spend several years serving health care organizations in rural or underserved communities and smaller health care institutions, especially safety net facilities;
- Leadership from Congress and HHS toward building a robust set of best practices and implementation guides with specific, real-world guidance for improving cybersecurity practices in all healthcare settings, available to physician practices of all types, settings, and sizes;
- Incentives for compliance with minimum cyber security practices rather than penalties for non-compliance, within a policy-making stance that focuses on quality improvement and assurance rather than blame and penalties;
- High standards of cyber security and compliance with mandated industry best practices for certified electronic health record vendors and medical device vendors;
- Explicit accounting for cybersecurity expenses reflected in Medicare payments (incorporated into practice expense and other formulas, like other essential expenses); And
- Support Congress and regulate cyber insurance to allow smaller healthcare organizations to afford coverage (including, for example, minimum coverage provisions as a buffer against unwanted plans).
Because the HIPAA privacy rule only protects health care data held by a covered entity or its business partners, the letter also called for Congress to “take action to protect personal and health data outside of HIPAA and to ensure that cybersecurity and privacy rules extend beyond the HIPAA regulatory framework.” ” The Academy urged this and related protections in a September 15, 2022 letter to the US House Energy and Commerce Committee.
The document from Warner’s office asked how Congress should work with HHS to improve its cybersecurity resources and capabilities and whether the Health Information Clearinghouse and Analysis Center is “the best entity for sharing information among healthcare organizations.” Answering and following up on this question – “Will the stimulus for smaller health sector entities be beneficial to the country’s healthcare system?” – The Academy pushed for solutions that do not add administrative complexity to family medicine practices.
Given that access to resources through H-ISAC requires a paid membershipAnd Cost is likely to be a barrier to benefit for smaller organizations.” “We encourage Congress to evaluate the effectiveness of H-ISAC and, if it is determined to be the best entity for sharing information across health care organizations, consider federal funding and a government-private sector partnership to expand access to its resources Significantly under-resourced physician practices.
“Congress should consider ways in which small, independent physician practices can benefit from and realistically implement the practices included in the resources offered without having to be a member of H-ISAC.”
Both letters called for capping other costs and streamlining policies and workforce development programs that would enhance health data security without adding an administrative burden to clinicians.
In its support of the Healthcare Cybersecurity Act, the Academy noted that the bill would provide greater coordination and information sharing between the Cybersecurity Agency, Infrastructure Security, HHS, and healthcare entities, a step toward administrative simplification. It would also initiate a number of the priorities outlined in the Academy’s letter to Senator Warner, including training healthcare entities on cybersecurity risks and mitigation strategies and initiatives to address cybersecurity workforce shortages for healthcare organizations, particularly rural and small and medium-sized organizations.
The Academy also tracks files Healthcare Provider Safety Act (HR 7814/S. 4268), which will establish a grant program for health care organizations to enhance the physical and electronic security of their facilities, employees, and patients, consistent with AAFP policy recommendations.