Navigating Regulations in Healthcare: Cyberattacks and AI Governance

AI, Healthcare
4 minute read

The recent incidents of cyberattacks on our healthcare system were understandably front and center during HIMSS24 as healthcare organizations continued to try and recover from the catastrophic impact on operations and patient treatment nationwide.  

In the wake of the most recent attack, the federal government has been helping providers with loans to bridge payments. CMS announced flexibilities to ensure that states can start making interim payments to providers and as of March 28th, UnitedHealth Group has paid over $3 billion in advanced payments. 

Legislative and regulatory provisions that may eventually be implemented in response to the attack are already starting to emerge, such as a bill that would apply cybersecurity-related conditions to the receipt of Medicare accelerated and advance payments during a cyberattack. As anticipated, the Department of Homeland Security released a proposed rule for Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements. This rule was available for public comment on April 4th for 60 days.

Digital Fax: A Reliable Safeguard When Advanced Systems Fail

Although most of the headlines about the data breach recently have focused on payment disruptions, the more critical issue is the disruption to patient care — specifically, the ability of patients to obtain their electronic prescription medication was disrupted when providers were asked to either fax or call in prescriptions.

 In the face of system failures of this magnitude and those on hospitals, our healthcare system needs a low-barrier solution that will function across all care settings, regardless of technological capabilities. That solution is cloud fax — a technology that’s a HIPAA-secure, foolproof way to keep the lights on.

Digital fax allows healthcare stakeholders to communicate digitally and transmit unstructured data. Additionally, when the process of filing electronic claims from an EHR is disrupted as well as eligibility checks, reliable cloud faxing can play a role, especially when structured data can be pulled from claim forms. 

As the industry continues to progress toward greater electronic interoperability through the recommended use of data standards like Health Level Seven (HL7®) Fast Healthcare Interoperability Resources (FHIR®) and X12, we must not ignore the critical need to retain a reliable, safe and accessible way of transmitting data as a fail-proof way of continuing to communicate in the event of a cyberattack. That simplest form is HIPAA secure digital cloud faxing.

Greater Governance of AI

Previous to the unplanned conversations around the recent cyber attack, much of the planned content at HIMSS24 was primarily buzzing about artificial intelligence (AI). Notably, the discussion during this year’s conference centered more around the need for regulation and guardrails for the technology — a progression from last year’s annual conference, which focused more on its potential uses. Although AI is primarily being used today for administrative purposes, there’s a greater focus on regulating its use for clinical purposes, such as assisting physicians with diagnoses. 

To that end, CMS’s Office of the National Coordinator for Health Information Technology (ONC) passed the HTI-1 rule in December, which requires greater transparency around the use of AI and other predictive algorithms in certified health IT products like EHRs. 

ONC has faced pushback around how to enforce the rule, some of which is meant to curb the magnification of bias in data so as not to exacerbate disparities in care for underserved populations. Nevertheless, the fact remains that we must achieve a certain level of transparency and to do that, we need to put the law into practice. Without real-world evidence, it will be difficult to ascertain whether the regulation is working. 

The conversation around AI governance also includes the patient’s role in AI and whether HIPAA still adequately captures patient consent for use of their data in AI applications. Three in five U.S. adults would be uncomfortable if their healthcare provider relied on AI for their medical care, according to the Pew Research Group. The question of how to protect patient data, especially in the wake of cyberattacks like the one we just experienced, will require some thought. 

Coinciding with HIMSS24 was the launch of the Trustworthy & Responsible AI Network, or TRAIN, a coalition whose members include healthcare provider organizations and Microsoft. The goal of the coalition is to share best practices related to AI in healthcare. Another industry group, the Coalition for Health AI, also recently formed to harmonize standards and reporting for health AI. 

Yet another nationwide effort to corral the use of AI includes the Biden administration’s establishment of an AI task force across all industries by way of an executive order issued last year. On a global scale, the World Health Organization published guidance for AI ethics and governance in January 2024 to advise healthcare providers, governments and technology companies as they design and deploy large language models for healthcare services and research. 

Despite the urgency in discussions around greater governance of AI, it’s going to take a while to establish guardrails, especially in the middle of an election year when the possibility of a new administration could change the course of regulations. In the meantime, the industry including many hospital systems and EHRs, are testing proof of concept models to validate the value of AI.