What is holding organizations back from achieving a strong cybersecurity posture in a healthcare environment? It is not a lack of cost from a breach. According to one study, the average cost was $182,000 for a small to medium healthcare organization and $3.4 million for a large healthcare organization.1 In another study, the average healthcare data breach cost $10.1 million, and 83% of organizations that were mentioned in the study have experienced more than one data breach.2 Not only does this impact large organizations, but 63% of small to medium organizations reported a data breach. There are many obstacles, especially with small and medium businesses that cite having insufficient personnel, an insufficient budget, a lack of understanding how to protect against cyberattacks, insufficient enabling technologies, and lack of in-house expertise—all noted as the top five reasons for the lack of a good cyber posture.3
A strong cybersecurity posture is difficult in the best of industries for small, medium, and even large organizations. However, with the value of electronic protected health information (ePHI), the stakes and challenges only increase. With this, there are continued efforts to provide more incentives and guidance, e.g., 405(d) task force, instead of sticks and fines. This is where the HIPAA Safe Harbor law comes into play.
This HIPAA Safe Harbor law acknowledges that good things happen to the best of us. However, it does not completely protect the organization from getting hit with costly audits or fines. It does give the possibility of better outcomes; plus, it can strengthen your cybersecurity posture. The law does specify three favorable outcomes of mitigating fines, early favorable termination of an audit, and mitigating the remedies that would otherwise be agreed to in an agreement resolving potential HIPAA violations.
The bill does not require you to implement “recognized security practices.” Instead, it puts into law that the Office for Civil Rights (OCR), which is authorized to impose fines, must start by looking back 12 months for documentation demonstrating “Recognized Security Practices” were in place. This helps indirectly define how frequently an organization should perform a HIPAA risk assessment. HIPAA specifies a risk assessment must be performed on a periodic basis; however, it does not specify what periodic means. Now, you can look to the HIPAA Safe Harbor law to do a HIPAA risk assessment at least once a year because the Safe Harbor law is looking for “recognized security practices” in place for 12 months.
Fortunately, we get some type of definition from the Public Law 116-321 of the 116th Congress as to what “recognized security practices” are:
- The standards, guidelines, best practices, methodologies, procedures, and processes developed under Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
- The approaches promulgated under §405(d) of the Cybersecurity Act of 2015; and
- Other programs and processes that address cybersecurity and are developed, recognized, or promulgated through regulations under other statutory authorities.
These definitions are still broad, but they are getting us closer to the path we need to follow.
There are several places to start; a good starting place is NIST 800-66 Revision 1 (An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule) and the 405(d) Task Force Health Industry Cybersecurity Practices (HICP) technical volumes. NIST 800-66 is a comprehensive guide that covers each safeguard, but it can be overwhelming and broad. There are two HICP technical volumes (one for small and the other for medium and large healthcare organizations) that are written in plain language, prescriptive, and provide guidance to cover the low-hanging fruit that can mitigate the covered entities’ most common risks.
At the time of this writing, the OCR is working on providing additional guidance to better explain what “recognized security practices” are; however, the first step as noted in NIST 800-66 Revision 1 is that the organization needs to identify and inventory all systems, hardware, and software that house ePHI. This is nothing new; however, the HIPAA Safe Harbor law now makes the OCR request and review evidence of when security practices were in place, whether documentation exists supporting these practices, and how the security practices were implemented. Long story short, if you don’t have any documentation, then it didn’t take place.
If documentation is not available, the civil monetary penalties could be a minimum range of $100 to $50,000 per violation depending on the severity of breach and whether the organization performed reasonable diligence and was not negligent.
The questions and obstacles remain; nevertheless, the guidance is being further refined. If you have questions or need assistance, please reach out to a professional at FORVIS.