As October is Cybersecurity Awareness month, now is the time to think about how your organization handles cybersecurity and how changes to the law may affect your strategy in the future. Cybersecurity should be a top priority for any business, especially those that work in healthcare. A study conducted by Black Book Market Research found that 60% of healthcare organizations had experienced a large-scale breach in 2020, a 300% increase compared to the year prior. The study also predicted that healthcare breaches are likely to triple in the coming year, making healthcare cybersecurity more important than ever before. Over the years, the Department of Health and Human Services (HHS) and the National Institute of Standards and Technology (NIST) have released guidance to aid healthcare organizations in improving their cybersecurity. This guidance, as well as cybersecurity law, are discussed in detail below.
Healthcare Cybersecurity: HHS Guidance
In response to the growing cyber threat facing healthcare organizations, the Department of Health and Human Services (HHS) formed a task group to build a set of principles and practices to improve healthcare cybersecurity. Through this, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” was published.
The guidance in the document:
- Examines current cybersecurity threats affecting the Healthcare and Public Health (HPH) sector;
- Identifies specific weaknesses that make organizations more vulnerable to the threats; and
- Provides selected practices that cybersecurity experts rank as the most effective to mitigate the threats.
Healthcare Cybersecurity and HR 7898
In January 2020, legislation was signed into law known as HR 7898 requiring the HHS to incentivize healthcare cybersecurity best practices. HR 7898 defines “recognized security practices” broadly to mean:
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
- The cybersecurity practices were developed under section 405(d) of the Cybersecurity Act of 2015.
- Programs and practices developed in, recognized by, or set forth in federal laws other than HIPAA.
The Safe Harbor Bill provides protection for healthcare organizations following a breach when they can show documented proof that they implemented a recognized cybersecurity framework prior to the incident. Healthcare organizations that can show proof will receive technical assistance from the HHS rather than be subjected to HIPAA fines.
NIST Cybersecurity Guidance
In response to the passing of HR 7898, NIST is revising its Cybersecurity Resource Guide to provide more detailed healthcare cybersecurity guidance. The original guide, published in 2008, was meant to provide healthcare organizations with simplified guidance on HIPAA Security Rule requirements. However, with the increased cybersecurity threat against healthcare organizations and the passing of HR 7898, NIST determined that a more detailed guide would be beneficial. NIST left the revisions up for public comment until July 9, 2021, and revisions are underway. See TBHI’s previous articles related to cybersecurity:
- NIST Cybersecurity Guidance Update for Clinical HIPAA Cybersecurity
- Cybersecurity Alert of Ransomware Activity in Healthcare
- Healthcare Cybersecurity, Ransomware Threats on the Rise
This Article Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help!