11.05.2022 13:30

The New HIPAA Bill Aims to Bolster Cybersecurity

News image


Businesses and providers in the U.S. healthcare industry finally find some positivity in what seemed to be an overwhelming law. HIPAA, which stands for the Health Insurance Portability and Accountability Act, was established in 1996.

It is now popularly known as the law that governs the privacy and security of healthcare information in addition to facilitating health coverages when switching or leaving jobs. Although monumental, this law is failing to address some of the challenges that healthcare providers face today.

HIPAA and Cybersecurity

When HIPAA came into existence, cybersecurity was hardly a thing. Today, the healthcare sector is plagued by cybersecurity incidents accounting for most data breaches in the industry.

HIPAA’s rules and regulations are often deemed as extensive and tedious. Dozens of covered entities and business associates receive penalties and enforcement actions for data breaches every year. And a lot of these data breaches stemmed from cyber security-related incidents.

Cyberattacks have become more sophisticated, and their nature is constantly evolving, sometimes making these attacks completely unavoidable. On the other hand, HIPAA does not provide any specific guidelines regarding cybersecurity. Only a few vague recommendations here and there.

It seemed unfair that the victimized entities have had to pay fines for breaches they could do very little to avoid. What’s more worrying is that cyberattacks have increased by 45% since November 2020.

What changed?

On January 5, 2021, President Trump signed the HIPAA Safe Harbor bill (H.R. 7898) into law. The bill amends the HITECH Act. The Department of Health and Human Services (HHS) is now required to incentivize organizations for best-practice security.

It means that covered entities and business associates can now have reduced HIPAA fines and penalties for data breaches if they employ strong industry-standard security measures.

As a result, HHS now has to consider the past 12 months’ security measures implemented by an organization before issuing fines and penalties. In addition, there are few key things to take note of.

First, HHS has to take into account cybersecurity measures when calculating fines related to security incidents.

Second, HHS has to reduce the extent and length of an audit if an organization satisfies industry-standard best practices.

Third, HHS cannot increase fines or length of an audit if an organization is found out of compliance with recognized security standards.

The term recognized security standards refers to the guidelines under the NIST Act and Cybersecurity Act of 2015.

Tremendously exciting news indeed. News that encourages providers to make additional investments for more robust cybersecurity measures.

Healthcare organizations, including business associates, will now be assessed by reviewing their consistency with the HIPAA Security Rule. The law also aims to encourage organizations to immediately put a documented security plan of action in place after conducting security risk assessments.

In any case, healthcare providers need to address many aspects of their practice to ensure that their security is air-tight. On that note, let’s look at a few ways that can help healthcare providers improve their cybersecurity.

Tips To Improve Cybersecurity in Healthcare

Cyberattacks and hacking attempts are becoming increasingly sophisticated. Many healthcare providers have had to experience a security breach even after following industry-recognized practices. Either way, here are a few strategies healthcare providers, as well as business associates, can follow to mitigate risks:

Fostering a strong culture of security

A culture of good privacy and security practices will only transpire if it comes from the top management. Data security practices should be rallied around as a corporate value. A smart way to go about this is to include security in the company’s core values. Sufficient staff and funding are also essential.

Securing Mobile Device

The introduction of BYOD has had a tremendous impact. While there are many benefits, it also presents security risks. Moreover, the COVID19 pandemic has only accelerated the need for mobile devices for work purposes. When employees access the company’s database using personal networks, hackers try to find loopholes and weak links in the network.

It is also essential to limit access to certain sensitive information to only authorized individuals. Encryptions and other security mechanisms are useful when transmitting PHI using mobile devices.

Proper Staff Training

Education in cybersecurity is a rare thing for healthcare employees. In my opinion, cybersecurity should part of the HIPAA security training. Employees should be taught by using real-life hacking and phishing examples. All the employees should be able to detect suspicious behavior and report it immediately.

Updating Software and Operating Systems

A lackluster approach to security patches and software updates exposes healthcare organizations to unnecessary threats. Every time software updates are released, both users and hackers get notified. The older version usually has vulnerabilities that can be easily exploited.

New operating systems also come with updated and modern defense mechanisms. Therefore, updating operating systems to the current version is always recommended.

Ensure compliance and get incentives

Presumably, more organizations will want to employ strong cybersecurity measures because of the new HIPAA Safe Harbor bill. To simplify the risk assessment process, many leading healthcare organizations are utilizing HIPAA compliance software. These tools include all the necessary steps within the application itself, eliminating the need for you to learn the entire law itself.

You just need to follow the steps outlined within the application. Moreover, you can conduct security risk assessments and make documentation effortlessly.

Compliance and security go hand in hand, and following the HIPAA Safe Harbor bill is a good idea. Not only because it will help covered entities and business associates to defend against substantial fines but also because it will drastically reduce the likelihood of damaging cyberattacks and ransomware.

Thank you!
Join us on social networks!
See you!