Signed into law by former President Trump on January 5 of this year. HR 7898 is an amendment or provision to the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This new law requires the U.S. Department of Health and Human Services (HHS) to consider a healthcare entity’s adoption of cybersecurity best practices when determining the length and outcome of audits or the amount of fines or extent of penalties it will impose.
While some have referred to HR 7898 as a HIPAA Safe Harbor, the provision does not help healthcare covered entities or business associates avoid liability for HIPAA violations. The law clearly states that “Nothing in this section shall be construed to limit the Secretary’s authority to enforce the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate’s obligations under the HIPAA Security Rule.” Instead, it requires HHS Office for Civil Rights (OCR) to consider if the covered entity or business associate adequately demonstrated that it adopted certain recognized cybersecurity practices for the year preceding an audit or investigation. If so, OCR should consider this when determining the length and outcome of the audit, fines, or resolution agreement terms.
Therefore, HR 7898 does not prevent OCR from imposing fines or penalties. It does not provide a safe harbor for HIPAA compliance. Instead, it intends to encourage entities to implement cybersecurity best practices, and if they do, they should experience reduced scrutiny and punishment when it comes to OCR enforcement activities. In short, healthcare entities that find themselves the subject of an audit or investigation should see advantages if they have already adopted recognized best practices.
If you haven’t done so already, HR 7898 is an excellent incentive for your organization to adopt and implement at least one (or more) recognized framework for cybersecurity, privacy, and risk management.
HR 7898 defines recognized security practices as: “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
Currently, the two named practices identified within HR 7898 to consider are:
- NIST Cybersecurity Framework
- CSA of 2015 Section 405(d)
Some commentators have suggested that other industry frameworks also meet the requirements of HR 7898. Their claims typically rely on the fact these frameworks are mapped to the NIST Cybersecurity Framework and published by NIST as informative references. It is not clear that because NIST accepts a framework as an informative reference, HHS should view it as a recognized security practice under HR 7898. In fact, NIST’s Informative Reference website states explicitly, “Disclaimer: Informative References are linked to by NIST for informational purposes only and do not constitute an endorsement by NIST of the submitted content.” Therefore, we advise that an organization that wants to get the benefits of HR 7898 adopt either the NIST Cybersecurity Framework or Section 405(d).
In addition to the implementation of one or more of these frameworks for your organization, don’t forget about working closely with your business associates (BA) to ensure they’ve adopted industry best practices as well.
If you represent a covered entity, it is important to remember that you carry a brunt of responsibility if your BA experiences a breach that affects your protected data. And, since the covered entity is responsible for reporting breaches, you’ll want to operate with confidence that your BAs implement processes that keep your electronic personal health information (ePHI), personally identifiable information (PII), and other sensitive data safe.
Your organization and your business associates have the leeway to determine which practices you adopt. The NIST Cybersecurity Framework is one you may want to consider.
This framework identifies five core functions:
- Identify
- Protect
- Detect
- Respond
- Recover
There are 22 related categories for those five functions, followed by almost 100 subcategories of security activities to help guide your program development.
Here’s a quick look at those core categories and how they relate to the five functions:
- Identify
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
- Protect
- Access Control
- Awareness and Training
- Data Security
- Information Protection Processes and Procedures
- Maintenance
- Protective Technology
- Detect
- Anomalies and Events
- Continuous Monitoring
- Detection Processes
- Respond
- Response Planning
- Communications
- Analysis
- Mitigation
- Improvements
- Recover
- Recovery Planning
- Improvements
- Communications
With the NIST Cybersecurity Framework, your organization can choose which controls and functions make the most sense today. Then you can implement additional controls over time to mature your cybersecurity posture.
As mentioned above, there are numerous control catalogs and frameworks mapped to the NIST Cybersecurity Framework as informative references. These mappings provide flexibility to organizations when deciding on a control framework for their organization. For example, NIST 800-53, ISO, and CIS controls are mapped to the Framework. Also, there is a mapping of Section 405 (d) to the Framework. This mapping can help organizations decide the extent of controls or elements of the Framework that are right for them, using the excellent information within the 405(d) documentation on recommended baseline controls for organizations of different sizes.
An essential benefit of the NIST Cybersecurity Framework is that it facilitates the conversation between your information security team and your executives and key stakeholders. This conversation is often overlooked and is crucial to help frame your cybersecurity program in a way that not only protects and secures your sensitive data but also aligns it to your organization’s overall goals and objectives. It’s intended to facilitate these types of discussions at all levels across your organization.
You can use the five core functions, for example, as an outline to give your board members a high-level look at the heart of your program, what you want to achieve, and why it’s important. Then you can go a little deeper with your executives by breaking down those 22 related categories, saving the subcategories and individualized controls conversations for your teams responsible for managing and maintaining these activities on an ongoing basis.
In addition to maturing your cybersecurity practices by implementing a framework similar to NIST, you can also get better insight into your HIPAA compliance performance by mapping your existing HIPAA-related processes to the NIST Cybersecurity Framework.
Doing this type of mapping can help you understand all of your compliance requirements. It can help measure performance and identify security gaps before you experience a breach. It can also help identify non-compliance before a regulatory body cites you or a valued partner calls into question your meeting of contractual requirements. You can also use this approach to understand better, assess, and manage your organization’s risks and risk profile.
Here’s an example. Phishing schemes are on the rise, and healthcare entities are prime targets.
- What’s your risk of falling prey to a phishing scheme?
- What would the impact of a successful phishing attempt be on your organization?
- If a phishing attempt is successful at each level within your organization, what could the potential impact be?
- How long would it take your team to find this breach?
- What lateral movement could an attacker make within your organization? How can you mitigate these risks?
- What plans do you have in place to stop an active breach, contain it, and recover to business as usual?
While HIPAA requires you to keep that sensitive data safe, mapping that requirement to your security and risk management frameworks can help you see where you have deficiencies so you can address them before a risk becomes a reality. If you can demonstrate to OCR you have these practices in place for the previous year; you should see reduced penalties if a HIPAA violation is found.
With HIPAA, we talk about having a cybersecurity program that’s reasonable and appropriate for your organization. There can be a lot of ambiguity there, but adopting a framework like the NIST Cybersecurity Framework can give you a solid structure for your program, and HR 7898 provides additional support that your program meets the reasonable and appropriate standard.