Many health and dental care organizations have already begun implementation of various forms of artificial intelligence (AI) technology into their operations (e.g., AI phone menus, AI transcription, etc.). Although the use of AI has its benefits, cybersecurity must be considered, because under HIPAA’s Security Rule, you are required to ensure the security of all PHI that is received, stored, and transmitted.
The National Institute of Standards and Technology (NIST) is an organization that develops best practices and standards for infrastructure, systems, networks and more. NIST has developed guidelines for cybersecurity in the AI era titled “Cybersecurity Framework Profile for Artificial Intelligence.” You can find the guidelines here. These guidelines focus on ways that organizations can secure their AI systems, defend against cyberattacks, and thwart AI threats.
It can be very helpful to share NIST guidance with your IT vendor, who should also be involved in implementation of AI technologies. Your IT vendor can identify areas of risk and help to mitigate them. Some of the NIST guidance may be difficult to understand for those who are not IT experts. However, the guidance may assist you in identifying risks you hadn’t even considered when adopting AI.
Foundationally, you should have a business associate agreement (BAA) with any vendor that provides AI services, and which will access, transmit, store, or work with EPHI. Be sure to obtain the BAA prior to granting any access to EPHI.
In addition, all AI technologies should be evaluated as part of your Security Risk Analysis (SRA) to identify any vulnerabilities and risks associated with the products. Corrective actions may be identified during the SRA to reduce/mitigate risks that are present. Again, your IT vendor will be an important resource in this area.
