The Impact of Health Care Regulations on Cybersecurity

July 31, 2023

A colleague asked me recently, “HIPAA was written 25 years ago. Why are we still talking about it today?”

 

This is a complex question requiring some context to answer. The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 and applies to covered entities (CE). However, numerous amendments and subsequent regulations have expanded upon or changed how HIPAA enforcement works.

 

 

Summary of Regulations

After HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH) arrived in 2009 as a part of the American Recovery and Reinvestment Act (ARRA). HITECH rewards providers for using electronic medical records (EMR) systems, but the act also enhances the controls for electronic protected health information (ePHI). HIPAA came out when providers were using paper records, and the rule was written to manage privacy in a paper-dominated world. As computers and electronic records took over, modifications were needed. Concepts like auditing and monitoring, as well as access logs and encryption, were introduced. There was also an increased use of business associates (BA), the subcontractors or vendors who process protected health information (PHI) on behalf of the covered entity. Business associates proved valuable in promoting the use of business associate agreements (BAA) to communicate the intent of the covered entity and require that the BA introduce the same controls as the CE.

 

In 2013, the Department of Health and Human Services (HHS) passed the Omnibus Rule. This rule enables the Office of Civil Rights (OCR), which enforces HIPAA/HITECH, to fine BAs in addition to CEs. The Omnibus Rule also strengthens patients’ rights by requiring specific abilities to access and restrict disclosure of their PHI.

 

 

Impact on Cybersecurity

Most important to cybersecurity is HIPAA’s Breach Notification Rule, which mandates that CEs and BAs notify and report to the Secretary of Health and Human Services any breaches of unsecured, protected health information affecting over 500 people. This regulation is one contributing reason that the health care industry has the highest number of reported data breaches.

 

The Cybersecurity Information Sharing Act of 2015 (CISA) section 405(d) intends to strengthen the cybersecurity posture of health care and public health. In 2017, empowered by CISA, the Department of Health and Human Services established the 405(d) task group, including health care thought leaders, to provide cybersecurity guidelines to protect PHI. The task group researched the most common cybersecurity security threats and published the Health Industry Cybersecurity Practices (HICP), a set of best practices to cost-effectively reduce cybersecurity risks for all types and sizes of health care organizations. These threats and associated industry recommended practices are the desired minimum controls that a covered entity should implement to protect patients.

 

The last piece of the puzzle is a 2021 amendment to the HITECH Act, which enables reduced penalties for BAs who have implemented “Recognized Security Practices” (RSPs). The Office of Civil Rights (OCR) will consider an organization’s established RSPs for the past 12 months during their audit review and penalty enforcement processes. A 2022 OCR video outlines RSPs as either part of the NIST Cybersecurity Framework (CSF) CSF or approaches documented under section 405d. That is why HIPAA continues to be a hot topic today!

 

 

How Optiv Can Help

Optiv is a strong proponent of implementing a security framework to simplify IT risk identification, assessment and monitoring. When used in conjunction with regulations like HIPAA/HITECH, this framework helps safeguard an organization's data against threats and vulnerabilities by providing the supporting structure needed to protect internal data against cyber threats and vulnerabilities. Therefore, Optiv recommends that all health care organizations evaluate either the NIST CSF or HICP and implement one of these two recognized security practices to reduce risk of HIPAA fines.

Brian Golumbeck
Director, Strategy and Risk Management | Optiv
Brian Golumbeck is a Practice Director within Optiv Risk Management and Transformation Advisory Services Practice. He has a history of leading challenging projects and building dynamic high impact teams. Mr. Golumbeck’s 25+ years working in Information Technology, include 20+ years as an information security professional. Brian is a Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Controls (CRISC), Certified Information Security Manager (CISM), Certificate of Cloud Security Knowledge (CCSK), EXIN/ITSMf ITIL Foundations, and Lean Six Sigma – Greenbelt.
Keith Forrester
Practice Manager - Strategy and Risk | Optiv
As a Practice Manager in Optiv’s Strategy and Risk Practice and responsible for Healthcare Service delivery, Keith leads a team of security professionals in the delivery of cybersecurity strategy, technology, and information risk management projects. He has over 25 years of information security governance and risk management experience supporting various industry sectors, including health care, technology, government, utility, and banking. His general background includes extensive experience delivering risk and regularity assessments, developing governance and compliance programs, and supporting vCISO engagements.

Keith is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), PCI-DSS Qualified Security Assessor (QSA), HITRUST Certified CSF Practitioner (CCSFP), Certified HITRUST Quality Professional (CHQP) and Lean Six Sigma – Greenbelt.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.