New legislation (H.R. 7898) allows healthcare providers to reduce enforcement actions by using security best practices.
Background: H.R. 7898
On January 5, 2021, H.R. 7898 was signed into law to incentivize healthcare organizations to implement leading practices for meeting HIPAA requirements. The latest amendment to the HITECH Act provides organizations dealing with a breach the opportunity for relief during a time when attacks on the healthcare industry have reached unprecedented levels. It acts as a positive incentive for healthcare providers and business associates to invest in leading cybersecurity practices.
H.R. 7898 requires the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to consider if an organization has implemented recognized security practices when determining fines, the length of audits, and any other remedies. The amendment provides some consistency to the post-breach experience, which has been an area of criticism in the past. While it is certainly no “Get Out of Jail Free” card, the relief granted by this amendment provides incentives for implementing security practices beyond just the fear of severe repercussions.
To take advantage of the protections, the organization must be able to demonstrate that recognized security practices were followed for the 12 months prior to a breach.
What exactly are “recognized security practices”?
The amendment defines recognized security practices as:
“The standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.”
Much like the HIPAA Security rule itself, H.R. 7898 leaves the exact approach up to the organization, but references the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) guidance released in 2018 as well as the National Institute for Standards and Technology (NIST) publications.
Why does H.R. 7898 matter?
Whether you are a high-maturity organization looking to further protect yourself against cyber threats and compliance fines, or you are a low-maturity organization working towards HIPAA compliance, your next steps are clear. Adhering to industry best practices is now a 2-for-1 deal in defending against cyber threats and compliance fallout. By documenting your alignment with a recognized cybersecurity framework, your organization can:
- Improve its security posture
- Maintain evidence of alignment with recognized industry best practices
- Reduce possible fines and compliance costs should it become the victim of a cyber incident or breach
- Reduce the scope or length of a compliance audit
If your organization is a healthcare entity of any size or maturity, this is a no brainer.
How should healthcare organizations respond to H.R. 7898?
- You’ve probably heard it a million times: perform an annual risk analysis.
- Covered organizations and business associates should be performing and documenting a periodic security risk analysis as well as ongoing risk management activities. Don’t stop there.
- Make sure you are aligning your risk analysis and risk management efforts with the recommendations in the HICP publication and NIST guidance.
- Start by identifying which threats your organization faces and work backwards to identify what controls you have in place or need to have in place to detect and protect against those threats. This approach is the heartbeat of the HICP publication, which focuses on five threats that have a high likelihood and impact for healthcare providers. In our experience, ransomware continues to lead the pack.
- Blog: Getting Specific with Ransomware Preparedness
- Consider selecting NIST SP 800-53 or a framework that maps directly to it; at a minimum – select any ONE framework to use as a baseline that satisfies the criteria for recognized security practices. Document the results of assessments and track gaps identified and the remediation plans. Evaluate progress annually against the defined roadmap and be prepared to show evidence of compliance.
If you’re not sure where to start, let us help you. Whether you want advice on a specific topic, help tailoring your existing assessment processes, or need an independent risk analysis, we can help. SRA has a strong HIPAA risk assessment methodology which includes the concepts covered by the HICP framework.