Healthcare Cybersecurity, Nist Cybersecurity

Cybersecurity Awareness Month: Are Your Services Safe?


October 21, 2021 | Reading Time: 2 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

As October is Cybersecurity Awareness month, now is the time to think about how your organization handles cybersecurity and how changes to the law may affect your strategy in the future. Cybersecurity should be a top priority for any business, especially those that work in healthcare. A study conducted by Black Book Market Research found that 60% of healthcare organizations had experienced a large-scale breach in 2020, a 300% increase compared to the year prior. The study also predicted that healthcare breaches are likely to triple in the coming year, making healthcare cybersecurity more important than ever before. Over the years, the Department of Health and Human Services (HHS) and the National Institute of Standards and Technology (NIST) have released guidance to aid healthcare organizations in improving their cybersecurity. This guidance, as well as cybersecurity law, are discussed in detail below.

Healthcare Cybersecurity: HHS Guidance

In response to the growing cyber threat facing healthcare organizations, the Department of Health and Human Services (HHS) formed a task group to build a set of principles and practices to improve healthcare cybersecurity. Through this, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” was published.

The guidance in the document:

  • Examines current cybersecurity threats affecting the Healthcare and Public Health (HPH) sector;
  • Identifies specific weaknesses that make organizations more vulnerable to the threats; and
  • Provides selected practices that cybersecurity experts rank as the most effective to mitigate the threats.

Healthcare Cybersecurity and HR 7898

In January 2020, legislation was signed into law known as HR 7898 requiring the HHS to incentivize healthcare cybersecurity best practices. HR 7898 defines “recognized security practices” broadly to mean:

  • Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
  • The cybersecurity practices were developed under section 405(d) of the Cybersecurity Act of 2015.
  • Programs and practices developed in, recognized by, or set forth in federal laws other than HIPAA.

The Safe Harbor Bill provides protection for healthcare organizations following a breach when they can show documented proof that they implemented a recognized cybersecurity framework prior to the incident. Healthcare organizations that can show proof will receive technical assistance from the HHS rather than be subjected to HIPAA fines.

NIST Cybersecurity Guidance

In response to the passing of HR 7898, NIST is revising its Cybersecurity Resource Guide to provide more detailed healthcare cybersecurity guidance. The original guide, published in 2008, was meant to provide healthcare organizations with simplified guidance on HIPAA Security Rule requirements. However, with the increased cybersecurity threat against healthcare organizations and the passing of HR 7898, NIST determined that a more detailed guide would be beneficial. NIST left the revisions up for public comment until July 9, 2021, and revisions are underway.

This Article Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help!

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...