AHIMA’s Position
AHIMA supports the use of policy to address the information security, including cybersecurity, of patients’ health information. Health information (HI) professionals have extensive knowledge and expertise to contribute in developing these policies. It is vital that any legislation or regulation that addresses cybersecurity or information security must consider the people, processes, and technologies that affect cybersecurity. To make the strides needed in cybersecurity within healthcare, AHIMA believes that policy must:
Policy must prioritize engagement of all healthcare industry stakeholders and align with cross-sector cyber threat information sharing activities, ensuring information is tailored toward multiple levels of organizational size, capacity, and venue, and implemented consistently while preserving patient confidentiality and privacy.
Policy must support organizations’ ability to keep data confidential, ensure the integrity of the data, and ensure authorized users have timely, reliable access to data.
Provide strong and clear leadership from the federal government.
Policy must ensure that there is clear and comprehensive leadership, guidance, and enforcement from the federal government.
Harmonize laws and regulations, including state and federal laws.
Policy must work to ensure that health organizations are not beholden to inconsistent and conflicting data protection standards of compliance. Policy must also work to ensure that legislation and regulations seeking to address information security, cybersecurity, and privacy are complementary, including the harmonization of definitions across all areas.
Policy should include federal funding or incentives for training or certifications specific to healthcare information security, cybersecurity, privacy, and HI professionals to encourage advanced cybersecurity skills. Policy should also foster incentives to encourage a workforce that has expertise across all of these areas.
Data breaches are an ever-growing threat in healthcare. The average total cost of a data breach in the healthcare industry is $6.45 million: 65 percent higher than the average data breach across all sectors. While the monetary costs of a data breach are unsustainable, the more immediate danger is to patients. Data breaches put patients at risk of identity theft, fraud, and compromised medical data.
While steps have been taken to increase cybersecurity in the healthcare field, there is still a patchwork of laws and regulations and a lack of resources that must be improved and harmonized. As policymakers seek to address this issue, AHIMA members have the expertise to offer practical insight.
One concern is the lack of standardization and incompatibility of public health data collected across different surveillance systems; across local, regional, and federal agencies; and across geographic borders. During the COVID-19 pandemic, data collected and reported across the US has been found to be inconsistent and incomplete, hampering health officials’ ability to understand factors that place certain populations and communities at increased risk.
While it is necessary to have a well-functioning, fully funded public health system, patient privacy must be protected and safeguarded. Current methods used by American public health departments to produce de-identified data sets are not always successful in preventing patient re-identification. The CDC states that systems need to be modernized to ensure systems and data are secure. Public health and patient privacy are compatible goals that can be met through clear policy guidance.
To realize the benefits of improved cybersecurity for the healthcare industry, certain barriers must be addressed, including:
Challenges to information sharing.
Including technological barriers, such as a lack of interoperability or hardware/software capabilities; informational barriers, such as unreliable data; and organizational barriers, including lack of resources and organizational policies.
Lack of harmonization of laws and regulations.
The US regulates certain sectors and types of information differently, creating overlapping and sometimes contradictory protections. State laws and regulations can also add an additional layer of complexity with varying definitions, measures, and regulations that are often incompatible.
Insufficient personnel and funding.
According to a study conducted by the Ponemon Institute, only 30 percent of respondents rate their organization’s IT security effectiveness at mitigating risks, vulnerabilities, and attacks as “very high.” The most cited challenges in achieving this level of effectiveness are insufficient personnel and insufficient budget. There is also a lack of personnel with expertise across both privacy and security.
Need for additional federal support.
Cybersecurity must be a top priority for the federal government across all sectors, especially the healthcare sector. Federal support must be adequate to facilitate information sharing, the creation of best practices, and the monitoring of cyber threats.
January 5, 2021
AHIMA calls for the incoming administration to consider the implications of health information as they begin to implement new health policies in 2021.
AHIMA Advocacy in Action - Cybersecurity and Information Security
January 4, 2021
AHIMA has sent a letter to Congressional leadership of the 117th Congress, encouraging the new Congress to ensure health information is fully considered and prioritized in future health policy.
December 14, 2020
In a letter to Senate leadership, AHIMA and other healthcare organizations advocated for legislation that would incentivize the adoption of cybersecurity practices.