The AMA applauded a proposal for new federal cyber incident reporting rules, but also cited the urgent need to bolster defenses against cybercrimes in the health care sector that pose a risk to both patient safety and the security of the nation’s entire health care infrastructure—especially with its overreliance on one vendor.
“The Change Healthcare cyberattack demonstrates the extreme interconnectedness within our critical sector, a significant dependency on one vendor, and the fragility of the system when that vendor suffers an attack and is nonfunctional,” AMA Executive Vice President and CEO James L. Madara, MD, wrote in a letter to Jen Easterly, director of the U.S. Department for Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
“The Change Healthcare attack offers a case study of the acute impact on patients, physicians, hospitals, pharmacies, labs and countless additional health care professionals, providers and entities across the country—particularly those small and independent physician practices that operate on a thin financial margin and did not have the resources to weather a storm of this magnitude,” Dr. Madara’s letter (PDF) says.
The letter also states that cybersecurity must be a national priority for the following reasons:
- Cybersecurity is a patient-safety issue.
- Cyberattacks are inevitable and increasing.
- Physicians are interested in receiving tools and resources to assist them in cybersecurity efforts.
- The health care sector exchanges health information electronically more than ever before, putting the entire health care ecosystem at greater risk.
CISA’s proposed rule involves implementation of the reporting requirements included in the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Those requirements are intended to improve the agency’s ability to use cybersecurity incident and ransomware payment information reported to the agency to identify patterns in real time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyberattacks, and inform others who would be potentially affected.
Covered entity concerns
Covered entity concerns
The proposed cyber incident reporting rule for covered entities was described in the letter as “complementary” to similar requirements mandated by the Federal Trade Commission and the breach-notification provisions of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.
The AMA generally supports the criteria that would be used to determine which stakeholders in the health care infrastructure should be considered covered entities and be required to report cyber incidents.
The criteria are: consequence, threat and vulnerability. And the AMA agreed with the agency’s assessment that most physician practices are not large enough to be considered a covered entity under the proposed regulation.
The proposal specifically states that large hospitals, critical access hospitals, manufacturers of essential medicines and manufacturers of Class II and III medical devices would be considered covered entities.
The AMA, however, also urges CISA to explicitly include health insurance companies and intermediaries—such as clearinghouses—as covered entities under this regulation.
Security tools, workforce needed
In addition to providing patients, physicians and non-physician clinicians tools to bolster their cyber defenses, the letter also calls for bolstering the skilled workforce needed to secure sensitive patient information.
The AMA supports the proposed use of a web-based incident-reporting form requiring “abundant details” about what must be included in reports, the letter says. But it also noted the need for more clarity in how that information will be used and shared.
“There should also be an educational component to the information that is shared broadly with stakeholders so that they know what steps to take to mitigate the threat, even if they are not cybersecurity experts or well-versed in technology frameworks,” the letter says.
Also suggested is the creation of a regional extension center program to educate physician practices and other smaller entities on cybersecurity best practices and to share actionable information about vulnerabilities exposed in the cyber-incident reports.
“Such a program would help address the shortage of available health IT and cybersecurity professionals and the lack of cybersecurity expertise in many physician practices,” the letter says.
Learn more about cybersecurity
Learn more about cybersecurity
“Cybersecurity in Medical Practice” is an eight-episode AMA Ed Hub™ course of enduring material designated by the AMA for a maximum of 2 AMA PRA Category 1 Credit™.
AMA Ed Hub is an online learning platform that brings together high-quality CME, maintenance of certification, and educational content from trusted sources all in one place—with automated credit tracking and reporting for some states and specialty boards.
Learn about AMA CME accreditation.
