Healthcare delivery organizations and those working with them that are still in business are either well aware of their duties under HIPAA, work with managed service providers that understand the law well, or…are lucky to have made it this far. Even for organizations that have steered clear of both cyberattacks and regulatory fines, vigilance is essential to maintaining a clean bill of (cybersecurity) health.
With HIPAA guidance and enforcement practices shifting increasingly quickly right now, businesses must adapt their cybersecurity strategies to remain alert and in step with regulators’ most current expectations.
The fines they are a-changin’
Historically, HIPAA regulators have most often levied fines in the seven-figure range—but levied them relatively sparingly. As a result, HIPAA enforcement actions have long been viewed as a force of nature akin to lightning strikes: extremely lethal to most businesses, but just as extremely rare. That state of play has made it easy for organizations to adopt a dangerous “It won’t happen to me” attitude, as well as the mindset that fines could happen to anyone with bad enough luck.
HIPAA regulators are now changing their enforcement practices to take that perception of luck out of the equation—and force every organization that touches sensitive patient data to get serious about cybersecurity.
Regulators’ new strategy: assign five-figure fines per violation that most businesses can afford, and ramp up enforcement to make sure all organizations might receive a fine if they aren’t meeting their regulatory obligations. Ironically, this affordable-pricing strategy was pioneered by ransomware attackers in recent years, who have moved away from huge price tags that had their victims defiantly abandoning data, and become clever in sizing ransoms such that a business’s easiest choice is to pay up. With HIPAA regulators now applying clear and constant pressure via fines, organizations are correctly incentivized to maintain compliant cybersecurity practices and avoid writing checks to either law enforcers or lawbreakers.
HIPAA security controls have caught up with the times
When HIPAA was first enacted in 1996, the law’s writers looked to contemporary cybersecurity frameworks (like the versions of ISO and NIST in use at the time) to borrow guidance on effective controls for ensuring the safety of patient health information. Needless to say, a thing or two has changed in the 27 years since, from the sophistication of cyberattack strategies to the introduction of more modernized cybersecurity frameworks.
The recent bill H.R.7898 has now addressed this discrepancy, allowing organizations to align their HIPAA security policies with modern control sets. Organizations should take full advantage of this development, mapping HIPAA to today’s most effective security standards (such as NIST CSF or ISO 27001) in order to increase the effectiveness of their protections.
New guidelines suggest that HIPAA is no longer DIY for smaller businesses
Back in 2005, the government drafted the Health Industry Cybersecurity Practices (HICP) guidelines to provide healthcare organizations with recommendations and best practices for complying with HIPAA and protecting their patients’ data. Throughout the HICP’s history up until just recently, these guidelines maintained a DIY tone, telling organizations how to accomplish and maintain HIPAA-compliant cybersecurity internally.
However, a recent substantial overhaul of 405(d) HICP guidelines now directly offers advice on how to select an effective and trustworthy security-minded MSP (or MSSP) partner. At the root of this change: cyber threats and corresponding cybersecurity countermeasures in the HICP guidelines have become so complicated that smaller-scale healthcare delivery organizations and businesses attached to them can no longer be expected to navigate those complexities without expert support. For example, prescriptive cybersecurity controls, including automated threat detection and mitigation, are quickly becoming essential. Getting this right substantially curtails security risk—if in the hands of those (internally or externally) who know how to leverage those tools optimally.
The more things change…
While the sophistication of modern-day cyberattacks and security protections has reached an unprecedented level, the fundamentals remain the same. Safeguarding patients’ HIPAA-protected data requires thorough risk assessments to flag vulnerabilities, effective data encryption and access control, continuous employee training, and incident response planning to meet and overcome challenges as they arrive. Pairing that strong foundation with evolving protections—aligned with an awareness of the latest regulatory behaviors, security controls, and HIPAA guidelines—is the recipe for successful healthcare cybersecurity today.
About Cam Roberson
Cam Roberson is Vice President at Beachhead Solutions, a San-Jose-based cybersecurity company. Cam previously worked in product management roles at Apple.