Getting incentives for the best security practices is a win-win for all healthcare-related entities. For one, you are getting incentives, and secondly, you are making sure that you have a rock-solid defense in terms of security.
Many organizations find that the rules and regulations that HIPAA entails are too extensive and overwhelming, however. What’s more, cybersecurity wasn’t a thing when HIPAA was introduced. Therefore, the law does not have any specific guidelines for cybersecurity.
The HIPAA law subsequently went through some changes to minimize the burden on healthcare organizations. The changes in part accounted for advancement in technologies to ensure that healthcare organizations can perform their duties without any hindrance. Despite those efforts, some covered entities and business associates still find the law to be a burden.
But things are changing. In light of recent news especially, healthcare organizations will be encouraged to implement best security practices and satisfy HIPAA compliance requirements.
Cybersecurity Scenario in Healthcare
Cybersecurity issues are posing myriad problems for businesses. In particular, the healthcare industry has suffered a lot in recent months as cyberattacks have become more sophisticated and frequent. A whopping 79% of all reported data breaches involved healthcare organizations between January 2020 and November 2020, for instance. Moreover, healthcare entities witnessed an 45% increase in cyberattacks between November 2020 and January 2021.
In the midst of all this, the H.R. 7898 (HIPAA Safe Harbor bill) was formally signed into law on January 5. The bill amends the HITECH Act and requires the Department of Health and Human Services (HHS) to incentivize organizations that implement best cybersecurity practices to meet their HIPAA obligations.
It’s a sigh of relief for organizations that stood very little chance against highly sophisticated cybersecurity attacks.
What is the HIPAA Safe Harbor Bill?
Even those organizations that implemented best security practices last year could not prevent a cyberattack, the government realized. (It seemed unfair that HHS’s Office for Civil Rights (OCR) had the power to fine organizations that could do very little to protect against unavoidable security breaches.) Even the FBI raised their concerns and brought them to the medical community’s attention about “imminent ransomware attacks.” The only viable option was to create a recovery plan of action.
In response, the HIPAA Safe Harbor bill has been set in motion to protect organizations that have been exposed to cyber-related security breaches—even when those entities met recognized security practices. The legislation directs HHS to assess security measures that have been implemented in the past 12 months by providing incentives regardless of whether organizations experienced an attack.
Furthermore, the HHS must take the following factors into account:
- It must consider cybersecurity measures when calculating fines rather than issuing disciplinary actions and penalties for an attack that couldn’t have been prevented.
- If it is determined that the impacted entity has indeed met industry-standard best security practices, HHS is required to decrease the extent and length of an audit.
- Additionally, if an organization is found to be out of compliance with the NIST guidelines or Cybersecurity Act of 2015, HHS cannot increase fines or the length of an audit.
Instead, the standard of compliance will be determined by a covered entity’s or business associate’s consistency with regards to the HIPAA Security Rule.
The House Energy and Commerce (E&C) Committee played a big part in passing this bill and was backed by several health IT industry stakeholder groups. The House E&C Committee wasn’t shy about raising their concerns, either, expressly noting that OCR has issued severe penalties against covered entities and business associates despite those organizations having employed best industry-standard cybersecurity practices.
Notably, the bill also aims to encourage organizations to conduct thorough security risk assessments and put a security plan with documentation into action immediately.
That said, organizations are not inclined to choose a particular tool for security risk assessments. Some of the best industry practices recommend utilizing HIPAA compliance software. These tools are relatively cheap and offer numerous benefits.
This is one of many recent initiatives aimed at bolstering cybersecurity in an age where healthcare is targeted by attackers in record numbers. The law also serves as a positive incentive for healthcare entities to increase cybersecurity spending in a way that ultimately benefits patients and aims to improve the overall protection of health data. Consider following the new HIPAA Safe Harbor law not only because it will reduce the likelihood of damaging ransomware and cyberattacks but also because it could help defend against an OCR audit or investigation
About the Author: Riyan N. Alam works for CloudApper. Combining his hobby of reading up on industry trends, Riyan has a passion for writing and often writes on topics related to HIPAA compliance, Facilities Management, and CMMS. Riyan also loves traveling and trading in his free time.
Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.