“AAFP has long supported policies that ensure adequate security of protected health information while improving access to patient data and enhancing the ability to share patient health information across healthcare teams. ’” said an earlier letter. “We strongly support ensuring that data is interoperable while maintaining patient confidentiality and fundamental rights to privacy.”
“This rapid transition of healthcare into the electronic age has inevitably placed all healthcare organizations at risk of cyber-attacks,” wrote the Academy. Noting that more than 45 million people were “affected by cybersecurity attacks against healthcare professionals in 2021,” the privacy and security of patient medical data is a top priority for physician practices, but “all Not everyone has the resources—the financial competence or the technical knowledge needed to successfully establish and implement cybersecurity best practices.”
AAFP Policy Guidance
“Congress has asked the Office of the National Coordinator for Health IT to consider including cybersecurity framework best practices in health IT certifications as part of a strategy for industry-wide adoption of standard best practices. We need to work,” the Academy told Warner’s office. “If all his EHR vendors are required to incorporate these practices into their technology, this will lead to small physician practices that purchase and utilize software and systems but do not have their own IT resources. , you will be able to benefit from basic cybersecurity protection.
“In the meantime, AAFP encourages Congress to consider ways to encourage all healthcare organizations to adopt voluntary guidance from the National Institute of Standards and Technology. needs support for effective implementation in
Other recommendations made by the Academy include:
- By introducing incentives to work in rural independent small clinics, underserved communities and communities lacking health professionals, modeled after ONC’s Regional Extension Center program , a workforce development program to address the healthcare cybersecurity staffing shortage.
- Student Loan Forgiveness or Repayment Program Allows Cybersecurity Professionals to Serve Healthcare and Small Healthcare Facilities, Especially Safety Net Facilities, in Rural or Underserved Communities for Several Years Become.
- Building a strong set of best practices and implementation guides with specific, real-world guidance to improve cybersecurity practices in all healthcare environments, available to physician practices of all types, settings, and sizes Congress and HHS Leadership Towards.
- Incentives for adherence to minimal cybersecurity practices rather than penalties for non-compliance, within a policy-making stance focused on quality improvement and assurance rather than blame and penalties;
- High cybersecurity standards and adherence to industry best practices mandated by qualified EHR and medical device vendors.
- The explicit accounting for cybersecurity costs reflected in Medicare payments (which, like other basic costs, are incorporated into medical fees and other formulas) is:When
- Congressional support and regulation of cyber insurance will enable smaller healthcare providers to purchase insurance (including, for example, minimum coverage provisions as guardrails against junk plans).
Because the HIPAA Privacy Rule only protects health data held by covered entities or their business associates, the letter called on Congress to “take steps to protect personal and health data outside of HIPAA, including cybersecurity and We also seek to ensure that the rule extends beyond the HIPAA regulation framework.” I asked for
Documents from Warner’s office describe how Congress should work with HHS to improve cybersecurity resources and capabilities, and how the Center for Health Information Sharing and Analysis is “the best agency for information sharing among medical institutions.” In response to that question and its follow-up — “Would incentives for smaller health sector entities be beneficial to the national health care system?” We wanted a solution that didn’t add administrative complexity.
“Given that access to resources through H-ISAC requires a paid membership, cost can be a barrier to benefiting smaller organizations,” the AAFP said. I’m here. “We encourage Congress to evaluate the effectiveness of H-ISAC and, if determined that it is the best entity for sharing information across healthcare organizations, seek federal funding and support from the government. Encourage private sector partnerships to be considered to significantly expand access to resources for smaller organizations, and for under-resourced physician practices.
“Congress should consider ways in which small, independent physician practices can benefit from, and be realistically implemented by, the practices contained in the resources provided, without having to become members of H-ISAC. there is.”
Both letters advocated other cost limits, policy streamlining, and workforce development programs that would enhance health data security without adding an administrative burden to physicians.
In supporting the Healthcare Cybersecurity Act, the Academy said the bill would provide greater coordination and information sharing among cybersecurity and infrastructure security agencies, HHS, and healthcare organizations, and move towards simplified administration. said to bring about movement. It will also put into action many of the priorities outlined in the Academy’s letter to Senator Warner. This includes training for healthcare organizations on cybersecurity risks and mitigation strategies, and initiatives to address cybersecurity workforce shortages in healthcare organizations, especially rural and small and small healthcare organizations. Medium sized organization.
The Academy also tracks the Health Care Provider Safety Act (HR 7814 / S. 4268). It establishes a grant program, in line with the AAFP, for healthcare organizations to strengthen physical and cyber security of their facilities, personnel and patients. Policy recommendations.