Cybersecurity essential, but lawmakers must avoid overburdening dental practices, ADA says
A new cybersecurity law would mandate important new security requirements and testing, but could place potential burdens on small businesses, including many dentists, according to the ADA.
If passed, the Health Infrastructure Security and Accountability Act of 2024 would require the Department of Health and Human Services to develop a set of tough minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates. While the ADA acknowledged that cybersecurity is essential for the health care industry, it also noted in a Dec. 6 letter that complying with new regulations could be onerous for dental practices.
For example, Section 101 would require the secretary of Health and Human Services to adopt enhanced security requirements to protect health information and patient safety within two years of passage of the bill. The Association said it supports the adoption of the enhanced security enhancements, but only if the secretary allows “the necessary time for dental practices and other providers to comply through technology updates, training and other required means.”
“Most dental practices, and many other health care providers, are small businesses that are already heavily burdened with complying with existing HIPAA regulations,” reads the letter, which was signed by ADA President Brett Kessler, D.D.S. “Congress and the relevant regulatory agencies must take into account the cost restraints faced by these small providers who would be faced with complying with new security requirements every two years, should this legislation pass.”
Section 102 would require annual independent cybersecurity audits for covered entities and business associates, as well as stress testing to ensure that covered entities are able to restore service promptly after an incident. The ADA expressed support for high cybersecurity standards throughout health care but emphasized the challenge small providers would face when implementing independent cybersecurity audits and stress tests.
The letter, addressed to Sen. Ron Wyden, D-Ore. and Sen. Mark Warner, D-Va., urged that any requirement to audit practice cybersecurity or to perform stress tests should explicitly exempt small practices. But if small practices must implement audits and stress testing, the ADA said, the federal government should offer resources and funding to the practices so they are not overly burdened with implementation costs.
“America’s dentists stand ready to work with you to safeguard patient records and data, including through preparing dental practices to protect themselves and their patients from cyberattacks,” the letter concludes.
