Cyberattacks against healthcare entities have risen a massive 45 percent, according to Fortified Health Security, in just the last two months. The increase in attacks and investigations has led the Healthcare and Public Health Sector Coordinating Council (HSCC) to push for the Department of Health and Human Services (HHS) to take a slightly different approach. HSCC commented, “there is a perception among many in health care that regulatory enforcement actions taken under the Health Insurance Portability & Accountability Act (HIPAA) have applied severe penalties against organizations victimized by cyberattacks in spite of their well-resourced programs that employ industry best cybersecurity practices. More importantly, this provision serves as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and, ultimately, patient safety.”

As a result, on January 5th, 2021 HR 7898 was signed into law. The HIPAA Safe Harbor bill amends the HITECH act to require HHS to incentivize best cybersecurity practices. The law requires HHS to consider a covered entity’s or business associate’s implementation and use of industry-standard security practices. Cybersecurity practices must also be considered when calculating fines when related to security incidents.

As we know, HIPAA’s vague definitions of standards can leave organizations searching for answers on what to prioritize and what is acceptable. In the case of HR 7898, ‘recognized security practices’ references those outlined in the NIST Act “and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities,” according to the law.

We at BlueOrange are happy to see the encouragement of the healthcare industry to put their best cybersecurity foot forward! Implementing cybersecurity best practices will help protect healthcare organizations and the communities that rely on them.