Health Officials Promise Better Cybersecurity Accessibility and AI Safety Standards

ORLANDO — Officials from the Department of Health and Human Services (HHS) and the National Coordinator for Health IT (ONC) outlined changes to cybersecurity standards and electronic health records interoperability at the HIMSS conference in Orlando, Florida, Tuesday.

New Additions to HHS 405(d) Program

Officials from HHS announced a Spanish language page, as well as a new health care and public health sector (HPH) cybersecurity gateway as the latest updates to the 405(d) program, a collaboration of the Health Sector Coordinating Council and the federal government to align security practices. The gateway, released in December, provides voluntary cybersecurity performance goals and serves as a “consistently evolving, comprehensive and accessible hub” for health organizations.

“This is the beginning of how we, at HHS, plan to expand our resources into the sector and underserved communities,” Nick Rodriguez, HHS 405(d) program manager, said. “Everyone plays a critical role in cybersecurity, and we are excited to help and reach that loop across organizations.”

In addition to the recent updates, Rodriguez also noted the importance of the updates announced during the 2023 HIMSS conference, which included the first hospital cyber resiliency landscape analysis, publishing and using the health industry cybersecurity practices (HICP) and providing free cybersecurity trainings and resources for health organizations. Rodriguez said HHS plans to release an annual landscape analysis and HICP.

New Requirements for the HTI-1 Final Rule

Following the recent release of the HTI-1 final rule, officials from ONC discussed why transparency is crucial for the use of AI in health care. The HTI-1 final rule, or Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, is an addition to the ONC Health IT Certification Program establishing transparency requirements for AI and other algorithms used in health care settings. With requirement updates, ONC aims to improve transparency and interoperability in health IT settings.

Following its proposal in April 2023, the HTI-1 final rule went into effect on February 8. The new requirements amend the information blocking regulations previously enacted by the ONC under the 21st Century Cures Act. The HTI-1 final rule also:

• Raises the United States Core Data for Interoperability (USCDI) Version 3, a standard for health data classes, from version 1
• Sets new requirements for standardized application programming interface (API)
• Facilitate interoperability with the standardization of health information and functionality

At HIMSS, Deputy Director of ONC’s Certification and Testing Division Jeffery Smith outlined the updated requirements for developers who supply predictive decision support interventions (DSI) to health care organizations. Developers must include 13 source attributes for evidence-based data sets and 31 for predictive data sets, which will create a baseline for the future. Smith said developers don’t need to provide DSIs to their customers, but they do need to “enable their users to select a predictive DSI.”

“That may not sound like a terribly different way of looking at things but it’s really important to know the developer doesn’t have to have a predictive DSI,” Smith said. “But, they do have to enable their users to select a particular site. We’d also note here that the developer is not responsible for content that might get modified by the users.”

Smith reiterated the timeline developers who provide DSIs are required to follow: all certified technology must be updated by December 31, 2024, to “support the capabilities for DSIs.” He also noted that health care organizations aren’t required to use DSIs by that date, but will have access to them.

The Challenges of Regulating AI in Health Care

The need for data quality, equity and ethical requirements is important as officials and federal agencies weigh the idea of implementing artificial intelligence and machine learning. AI technology is changing quickly, reinforcing the need to standardize ethical AI practices. Without standards, regulations or best practices, health professionals run the risk of contributing to differential treatment, medical errors and inequitable results of treatment.

“When we talk about the challenges of regulation, it’s hard because the field of AI like most emerging technologies, continues to evolve at a rapid pace and government doesn’t always evolve at [that pace],” ONC Senior Advisor to the Deputy National Coordinator Stephen Konya III said.

Konya discussed the challenge of regulating AI, as it needs to allow innovation while ensuring cybersecurity and safety. Konya referenced other agencies within HHS, like the Food and Drug Administration and its clinical decision support tools, which allows evolving guides and toolkits for accurate training.