What is the Current HIPAA Cybersecurity Guidance?
HIPAA cybersecurity guidance is currently up for interpretation, as healthcare organizations are meant to scale security requirements as relevant to their business. Unfortunately, in many cases, this leaves healthcare businesses confused, often leading to insufficient security measures. This is because HIPAA Security Rule guidance was intentionally written as a high-level overview of what must be implemented.
In the past, NIST has sought to remedy this by releasing a Cybersecurity Resource Guide with very precise guidance. However, NIST seeks to release new HIPAA cybersecurity guidance that would be a middle ground between HIPAA Security Rule guidance and the current NIST cybersecurity guidance.
How is NIST Changing the Guidance?
In January 2021, a new cybersecurity bill (HR 7898) was passed to bolster the healthcare industry’s cybersecurity posture. The bill does so by requiring the HHS to incentivize HIPAA cybersecurity by taking into account an organization’s implementation of a “recognized cyber security framework” (such as NIST) when conducting an audit and deciding whether or not to fine the organization.
The new guidance is set to provide healthcare organizations with detailed guidance on what recognized cybersecurity best practices are and how to implement them. This is particularly important to ensure that healthcare organizations implement effective security practices, as the bill defines “recognized security practices” as:
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015;
- Programs and practices that are developed in, recognized by, or outlined in federal laws other than HIPAA; and
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
The updated guidance also seeks to:
- Educate readers about information security terms used in the HIPAA Security Rule;
- Amplify awareness of NIST cybersecurity resources relevant to the HIPAA Security Rule; and
- Amplify awareness of non-NIST resources relevant to the HIPAA Security Rule.
NIST Cybersecurity and Public Comment
To ensure that the new NIST Cybersecurity Resource Guide adequately addresses the concerns of covered entities and business associates, NIST is giving them until June 15, 2021, to submit comments.
NIST is asking healthcare organizations to:
- Describe any tools, resources, or techniques that their organization currently uses or would like to use to implement the HIPAA Security Rule.
- Describe how their organization manages compliance and security simultaneously (i.e., how their organization achieves compliance with the HIPAA Security Rule while also improving cybersecurity posture).
- Describe how their organization assesses risk to ePHI (electronically protected health information) and how this assessment leads to identifying appropriate security controls/practices.
- Describe how their organization determines that security measures implemented in accordance with the Security Rule are effective in protecting ePHI and how often their organization initiates a process to determine such effectiveness.
- Describe how they document the process of demonstrating adequate implementation of recognized security practices.
- Describe how these recognized security practices overlap with and diverge from compliance with the HIPAA Security Rule at their organization.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too? Digital extortion is the game with ransomware – malicious software that holds sensitive information hostage until a ransom fee is paid to the hacker in question. Attacks against big-name hospitals and government agencies often capture the headlines, but what isn’t publicized are the dozens of ransomware variants such as CryptoWall and Crypt0L0cker that extort smaller practices on a daily basis, leading to serious headaches for unsuspecting clinicians who simply are trying to promote their practices online.