In November 2022, U.S. Sen. Mark R. Warner’s office released a report titled “Cybersecurity is Patient Safety—Policy Options in the Health Care Sector.” This report made a profound statement: “When it comes to cyberattacks affecting patient care, the question is no longer a matter of if or when, but how often and how catastrophic the consequences.” For context of how often, the Veeam 2022 Ransomware Trends Report noted 73% of organizations in the study suffered two or more attacks in the past 12 months. As an example of how catastrophic, when the University of Vermont Medical Center suffered a cyberattack on October 28, 2020, it was offline for 28 days and lost an estimated $50 million. Given the prevalence of cyberthreats, implementing recognized security practices (RSPs) is crucial to a healthcare organization.
RSPs were noted as a pillar to the HIPAA amendment signed into law in early 2021. Even though the law provided definitions for RSPs, additional guidance was needed. Fortunately, on October 31, 2022, the senior advisor for cybersecurity for the HHS Office for Civil Rights (OCR) provided such guidance.
Building on our previous FORsights™ article, “What Is HIPAA Safe Harbor?,” the guidance covered how a regulated entity can demonstrate RSPs are in place and how OCR requests information and evidence.
The amendment identified three categories of RSPs. The first and second were explicitly identified as the NIST Cybersecurity Framework and the approaches promulgated under Section 405(d) of the Cybersecurity Act of 2015. The third is an “other” category that may be used to demonstrate RSPs by implementing cybersecurity practices and controls from a cybersecurity program or framework that is explicitly recognized by statute or regulation. For deciding which category to select, a regulated entity should consider using the first or second categories because these are specifically noted in the legislation, and you won’t need to explain what you selected for the “other” category.
The amendment’s intent is to provide incentives through reduced fines, have an early favorable termination of an audit, or mitigate other agreed-upon remedies. In addition, the adoption of RSPs is completely voluntary, and there is no liability for a regulated entity not to implement RSPs. However, the regulated entity needs to demonstrate RSPs have been fully implemented and operating for the last 12 months.
When the data requests come, there are suggestions for how best to provide evidence. Fortunately, the entity can decide what evidence to provide, and the evidence is meant to illustrate the entity’s RSPs. Also, the evidence needs to meet three objectives: 1) evidence needs to demonstrate RSPs implemented for the last 12 months, 2) implementation in writing only is not acceptable, and 3) evidence needs to demonstrate RSPs are implemented across the enterprise, not just for a small subset of IT assets, applications, or environments.
The OCR will notify the entity about providing evidence of RSPs and how best to present the evidence. It also will request that the entity provide which regulatory or statutory citations were used—for example, NIST Cybersecurity Framework and the approaches promulgated under §405(d) of the Cybersecurity Act of 2015, or other (with an expectation to identify which “other” was implemented). To note again, an entity can decide the evidence to provide (as the senior advisor for cybersecurity pointed out numerous times, the evidence is illustrative).
The guidance provided examples of evidence that was caveated as not being an exhaustive list. There also was an emphasis on making sure all supporting evidence includes dates to demonstrate the RSPs have been operating for the last 12 months. Examples noted in the guidance were policies and procedures implementing RSPs, project plans regarding RSP deployment along with meeting minutes and approvals, training material and attendance records, application screenshots, vendor contracts and statement of work, etc.
Implementing RSPs will require formal documentation and can help mitigate the “how often and how catastrophic.” The practices could reduce fines, have an early favorable termination of an audit, or mitigate other agreed-upon remedies. Finally, remember that implementing RSPs or any cybersecurity endeavor is a journey, not a destination.
If you have any questions or need assistance, please reach out to a professional at FORVIS or submit the Contact Us form below.