Navigating Best Practices for HIPAA, 405(d) and CPGs

This blog is based on part five of our 5-part webinar series, “HIPAA Audits Are On The Way—Are You Ready?” Access the replay and presentation materials here.

The U.S. Department of Health and Human Services (HHS) recently announced the return of random HIPAA audits, underscoring the criticality healthcare organizations should place on data privacy and security and the need for better adoptions of HIPAA best practices. The audit announcement follows a multi-year period where HHS paused audits after results from previous rounds highlighted compliance gaps among covered entities and business associates.

While periodic audits have always been a requirement under the HITECH Act, HHS’s renewed focus highlights the need for a better understanding of HIPAA expectations and for healthcare organizations to adjust to a more proactive approach to data privacy and security. 

These developments come during a rising tide of cyberattacks targeting healthcare organizations. In the first five months of 2024, OCR has launched investigations into nearly 300 cyber incidents, each affecting 500 or more individuals. The largest to date, an unauthorized access/disclosure of a network server for Kaiser Foundation Health Plan, Inc., has exposed sensitive healthcare data for 13.4 million people.

While the HHS audit announcement should put healthcare organizations on high alert to ensure they’ve implemented reasonable and appropriate HIPAA privacy and security programs, breaches like Kaiser’s should be a wake-up call that you can’t wait for an audit to uncover where you have gaps. Threat actors actively work around the clock to take advantage of your exposures.

But where do you start?

By implementing industry-recognized best practices, you can reduce the risk of a data breach and position your organization favorably for a potential audit. That is especially paramount considering that if you experience a breach or security incident, documented evidence that you’re following recognized security practices can lead to reduced fines, shorter audits, and more favorable outcomes when working with HHS.

Understanding HIPAA Best Practices

In simple terms, recognized security practices are standards, guidelines, best practices, methodologies, and procedures developed, recognized, or promoted through statutory agencies’ regulations.

From a security perspective, adopting industry-recognized practices will benefit your organization from a cyber risk management and security perspective. Unfortunately, many healthcare organizations struggle to understand which best practices are most reasonable and appropriate. While there is no one-size-fits-all solution, all healthcare organizations can benefit from adopting security practices outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and section 405(d) of the Cybersecurity Act of 2015.

Understanding NIST CSF 2.0

Organizations of any size can draw on NIST CSF 2.0 for data security best practices. The framework isn’t prescriptive; you can choose the best practices most appropriate for your organization based on size, sector, compliance requirements, and cybersecurity maturity level.

NIST released the most recent version, 2.0, in February 2024.

Every organization has common and unique risks, varying risk appetites and tolerances, specific missions, and objectives to achieve those missions. Therefore, the way you implement the CSF will vary by necessity.

The NIST Cybersecurity Framework consists of three components: Core, Organizational Profiles, and Tiers.

1. Core: Core components have a hierarchical structure, starting with Functions and then Categories and Subcategories that detail each outcome. By design, a broad audience can understand these outcomes, regardless of cybersecurity expertise. And because outcomes are sector-, country-, and technology-neutral, you have the flexibility to address your organization’s unique attributes and goals.
2. Organizational profile: The organizational profile describes your organization’s current and/or target cybersecurity posture regarding CSF Core outcomes.
3. Tiers: Like maturity levels, Tiers apply to your CSF Organizational Profiles to characterize the rigor of your cybersecurity risk governance and management practices. Tiers also provide context for how your organization views cybersecurity risks and the processes you have in place to manage those risks.

Adopting NIST CSF in 5 Easy Steps

Successful adoption of CSF begins with defining a target organizational profile and understanding your organization’s current profile, then creating an action plan to move to your target organizational profile and implementing that plan. Here is a closer look at that process in five easy steps:

1. Scope organization profile: Document high-level facts and assumptions you will base the profile on. You can have as many organizational profiles as you need, each with a different scope. For example, one profile could address your entire organization, or you could scope the profile to a specific system or process, such as countering ransomware threats or handling ransomware incidents involving the scoped system.
2. Gather information: Examples of helpful information may include organizational policies, risk management priorities and resources, enterprise risk profiles, business impact analysis (BIA) registers, cybersecurity requirements and standards, practices, and tools (e.g., procedures and safeguards), and work roles.
3. Create organizational profile: Based on selected CSF outcomes, determine which types of information the profile should include. Document this information. Be sure to also consider the risk implications of your current profile. This will inform target profile planning and prioritization. Also, consider using a community profile or other industry guidance to inform your target profile. A key step in adopting CSF is creating a reasonable and appropriate organizational target profile. This is often a struggle for organizations, especially if you have not conducted a proper risk analysis. A target profile specifies your desired outcomes and prioritized steps to achieve your cybersecurity risk management objectives. A target profile also considers anticipated changes to your cybersecurity posture, such as new requirements, new technology adoption, and threat intelligence trends.
4. Analyze gaps and create an action plan: Conduct a gap analysis to identify and analyze the differences between your current and target profiles. Next, develop a prioritized action plan (e.g., risk register, risk detail report, Plan of Action and Milestones [POA&M]) to address those gaps.
5. Implement an action plan and update your profile: Follow your action plan to address gaps and move your organization toward your target profile. Your action plan may have an overall deadline or be ongoing.

You may also find it helpful to use the Health Sector Coordinating Council (HSCC) Joint Cybersecurity Workgroup (JCWG) NIST CSF Implementation Guide to support CSF adoption.

Understanding 405(d) Health Industry Cybersecurity Practices (HICP)

The 405(d) Health Industry Cybersecurity Practices provide voluntary cybersecurity recommendations to enhance your security posture, aiming to effectively protect patient data and mitigate the current top five cyber threats.

These practices are structured into three volumes, covering cybersecurity best practices for small, medium, and large healthcare organizations. They include specific practices tailored for using networked medical devices.

1. Main document: Discusses the current cybersecurity threats facing the public health sector. It establishes a call to action for the industry, especially executive decision-makers, to raise general awareness.
2. Tech Vol. 1: While all healthcare organizations face the same type of threats, what’s reasonable and appropriate for a small organization may not be the same for a medium or a large organization. HCIP takes that into consideration with Technical Volume 1, which specifically targets smaller organizations. It outlines 10 cybersecurity practices and sub-practices. It is intended for use by IT and/or cybersecurity professionals but also serves as a guide about what to ask IT and/or cybersecurity teams or vendors.
3. Technical Vol. 2:  Outlines 10 cybersecurity practices and sub-practices for medium-sized and large healthcare organizations. It is intended for IT and/or cybersecurity professionals. If you’re a large organization, you should implement both medium and large-size organization practices. However, if you’re a medium-sized organization, you only implement medium practices, not small and medium practices.

405(d) Top 5 Cyber Threats

To address the top cyber threats, 405(d) HICP recommends practices specifically addressing the industry’s top five cyber threats. Top practice categories are the same for all organization sizes and types, but the sub-practices differ based on anticipated risk level, resources, and business nature:

Top 5 threats

1. Social engineering
2. Ransomware attacks
3. Loss or theft of equipment or data
4. Insider, accidental, or malicious data loss
5. Attacks against network-connected medical devices that may affect patient safety

10 recommended security practices to address each threat:

1. Email protection systems
2. Endpoint protection systems
3. Identity and access management
4. Data protection and loss prevention
5. IT asset management
6. Network management
7. Vulnerability management
8. Security operations center (SOC) and incident response
9. Network-connected medical device security
10. Cybersecurity oversight and governance

What’s Reasonable and Appropriate?

Unlike NIST CSF where you can choose what’s reasonable and appropriate for your organization — without implementing all the controls — 405(d) offers guidance based on organization size, defined in the main document. Larger organizations will have expectations of more rigorous cybersecurity practices than smaller ones.

Key considerations:

• Your organization’s characteristics.
• Nature of the products and/or services you provide, which may decrease or increase the complexity of your cybersecurity needs.
• You may also consider practices outside your size category as you continuously mature your cybersecurity strategy.
• Also, suppose you’re a small organization tightly linked with other small organizations or a large organization sharing information between them. In that case, it may be appropriate to increase the level and strength of controls in accordance with that risk.

2023 Hospital Cyber Resiliency Initiative

HHS recently coordinated with the Health Sector Coordinating Council (HSCC) on a cyber resiliency initiative to measure the successful adoption of 405(d) HICP within hospitals. This study provides insight into where organizations continue to struggle and where additional focus is needed. When preparing for your next audit, this list can serve as a foundation to ensure you’ve implemented practices to address each concern:

• Components with significant progress
  • Email protection systems
• Components with urgent need for improvement
  • Endpoint protection systems
  • Identity and access management (IaM)
  • Network management
  • Vulnerability management
  • Security operations center (SOC) and incident response
• Components with need for additional research/follow-up
  • IT asset management
  • Cybersecurity oversight and governance
  • Network-connected medical devices
• Components where further attention is recommended
  • Data protection and loss prevention

Other Helpful Resources

NIST SP 800-66 Rev 2 provides practical guidance and resources your organization can use to safeguard ePHI and better understand security concepts discussed in the HIPAA Security Rule:

1. Ensure each organization selects security practices and controls that adequately safeguard ePHI, of which they are the steward.
2. Inform the development of compliance strategies relative to organizational size and structure.
3. Provide guidance on best practices for developing and implementing a risk management program.
4. Create appropriate documentation that demonstrates effective compliance with the HIPAA Security Rule.

NIST SP 800-66 Rev 2 also provides specific guidance on risk assessments and risk management, as well as considerations for implementing the HIPAA Security Rule:

Risk analysis

1. Prepare for assessment: Understand where you create, receive, maintain, process, and transmit ePHI. Identify ePHI generation, where and how it enters, moves, is stored, and leaves your organization.
2. Identify reasonably anticipated threats: Identify potential threat events and sources applicable to your organization and its operating environment.
3. Identify potential vulnerabilities and predisposing conditions: Develop a list of vulnerabilities threat sources could potentially exploit. This list should focus on both technical and non-technical areas.
4. Determine likelihood: For each threat event/threat source identified in step 2, consider the likelihood the threat will occur and the likelihood a threat could exploit a vulnerability, resulting in adverse impact.
5. Determine impact: Determine the impact that could occur to ePHI if a threat actor exploits a vulnerability. You may choose to express this impact in qualitative terms or another scale.
6. Determine risk level: Assess the level of risk to ePHI while considering information gathered and determinations made during previous steps.
7. Document: After you complete the risk assessment, document the results.

Risk management

1. Determine ePHI risk by your risk tolerance.
2. Implement additional security controls to reduce ePHI risk.
3. Document risk management activities

Considerations

• Key activities: Actions often associated with security functions each HIPAA Security Rule standard suggests.
• Description: An expanded explanation of key activities and activity types your organization may pursue when implementing a standard.
• Sample questions: Questions you may ask to determine if your organization has adequately implemented the standard.

In addition to the NIST 800-66 Rev 2 main document, the Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, 2.0.0 can help you cross-reference HIPAA requirements to NIST CSF, NIST Special Publications, and other control frameworks.

HHS Cybersecurity Performance Goals (CPGs)

Another helpful resource is the HHS Cybersecurity Performance Goals (CPGs). These are a voluntary subset of cybersecurity practices to prioritize and strengthen your cyber preparedness, improve cyber resiliency, and protect patient health information and safety.CPGs are mapped to HICP practices, sub-practices, and NIST 800-53 controls.

Essential goals

• Mitigate known vulnerabilities
• Email security
• Multifactor authentication
• Basic cybersecurity training
• Strong encryption
• Revoke credentials for departing workforce members, including employees, contractors, affiliates, and volunteers
• Basic incident planning and preparedness
• Unique credentials
• Separate user and privileged accounts
• Vendor/supplier cybersecurity requirements

Enhanced goals

• Asset inventory
• Third-party vulnerability disclosure
• Third-party incident reporting
• Cybersecurity testing
• Cybersecurity mitigation
• Detect and respond to relevant threats and tactics, techniques, and procedures
• Network segmentation
• Centralized log collection
• Centralized incident planning and preparedness
• Configuration management

Building Your Cybersecurity Program

So, how do you get the most out of these recommendations to build a reasonable and appropriate cybersecurity program that aligns with your organizational goals and risk appetite? Industry standards are your foundation. Whether you’re using one set of guidance or all mentioned above, here are five ways to ensure you’re on the correct path to building a compliant program:

• Step 1: Gather and review information. Consider:
  • Corporate strategy
  • Business impact assessment
  • IT assets
  • Resources
  • Customer expectations
  • Partner expectations
  • Compliance requirements
• Step 2: Create an organizational target profile. Consider:
  • NIST CSF 2.0
  • 405(d) practices
  • Informative references
  • Risk analysis
  • Community profiles
  • HSCC JCWG implementation guidance
• Step 3: Identify gaps between the current and target profiles
  • NIST CSF Maturity or a gap assessment
• Step 4. Create an action plan:
  • NIST 800-53
• Step 5: Implement an action plan and update the profile
  • NIST CSF 2.0

By implementing industry-recognized best practices and leveraging the right tools, you can build a proactive defense against emerging cyber threats. A comprehensive approach starts with a thorough understanding of HIPAA regulations, HIPAA best practices, supporting resources, and a commitment to ongoing assessments.

For organizations seeking a streamlined path to HIPAA compliance, Clearwater Security can simplify best practice implementation by automating key tasks like risk analysis. Need help identifying which best practices are reasonable and appropriate for your organization? Clearwater’s healthcare security and compliance experts can guide you through every step of the process, from framework selection and implementation to ongoing support. Connect with us here.