Healthcare providers have a responsibility to their clients to keep sensitive personal data safe. Under a new healthcare law, adherence to cybersecurity best practices can mean lower fines and ensure shorter audits if there's a data breach.
How the New Law Changes HIPAA Liability
The new law passed by Congress is a safe haven law for healthcare providers. Under H.R.7898, the Department of Health and Human Services (HHS) must consider the cybersecurity practices in place when determining how severe penalties and fines should be, and how long the organization must be audited. Following best practices does not offer a blanket HIPAA immunity. Nor does it allow HHS to impose heavier fines and penalties or specifically choose longer audits if best practices are not followed.
However, a history of strong cybersecurity practices can mean milder penalties and shorter, less intensive audits. Healthcare entities must show that they have had their security practices in place for at least the last 12 months. Depending on the nature of the breach and your organization's history, HIPAA violation penalties remain serious. However, being able to demonstrate due diligence can only work in your favor.
Protecting Your Organization from Breaches
Data breaches are among the most critical issues facing healthcare providers today, with statistics show a steady rise in incidents over the past decade. Between 2009 and 2020, over 268 million healthcare records were affected by theft, loss, or exposure. 2020 saw more breaches than any other year since the HHS began compiling and publishing data on cyber healthcare breaches in 2009.
It can be difficult to protect against vulnerabilities when the methods of attack are constantly changing. However, a strong investment in cybersecurity can provide protection against some of the most common styles of attack. The new law incentivizes organizations to increase their investment in cybersecurity to meet regulatory compliance benchmarks.
Elements of Accepted Best Practices
Each organization has its own unique systems and vulnerabilities. However, there are a few industry-standard cybersecurity controls that can improve your chances of being treated favorably in the event of a HIPAA violation.
System of Organization Controls (SOC) reports should be produced regularly. These reports focus on five categories known as Trust Service Principles. Good practices in those areas can reduce your risk of information leaks.
Seeking HITRUST certification (Health Information Trust Alliance) can help you assure that you are staying compliant with HIPAA regulations. This certification allows organizations to address their specific risk factors. By adapting the requirements to fit your size, structure and specific risks, you can be safer against cyber intruders.
Cybersecurity Is an Ongoing Task
The sorts of attacks that healthcare organizations face continue to change. Best security practices will continue to change with them. By ensuring that you are always up to date with the most recent best practices, you can cut your chances of HIPAA headaches. Your organization will be more resilient against attacks and, if one should occur, you will have evidence that you took action to keep patient information safe.