The Department of Health and Human Services’ (HHS) voluntary cybersecurity practices for providers underscores the government’s priority of protecting electronic patient information and the need for providers to integrate the new guidance into their compliance programs.
The guidelines were written specifically for the health care industry. Health care entities remain a primary target for cyberattacks, warns attorney Michael Kline, with Fox Rothschild in Princeton, N.J.
HIPAA enforcement is at an all-time high. The HHS Office for Civil Rights (OCR) assessed a record $28.7 million in fines and settlements in 2018. And a data breach now costs a health care entity $408 per record, higher than any other industry.
HHS’ four-part guidance publication outlines five threats to the industry, concrete real world health care examples of cyberattack, and ways to mitigate the threats.
The guidance is voluntary, but it does indicate what HHS might be looking for when assessing whether a provider is taking adequate steps to protect itself and patient records.
CliffsNotes for HIPAA compliance
The compliance requirements are not new, but the presentation in the new guidance is more user-friendly.
“It’s palatable. This is more consumer oriented and less technical, and broken down into understandable pieces. It’s like CliffsNotes for the National Institute of Standards and Technology guidances [which are very technical],” says attorney Elizabeth Litten, also with Fox Rothschild.
The easy-to-read guidance may be a more effective than technical documents when it is time to educate staff about cybersecurity, Kline says.
Key actions for cybersecurity
HHS’ cybersecurity guidance provides a good starting point to assess “cybersecurity hygiene.” To deal with and incorporate the advice, consider these tips:
- Conduct a risk assessment of your systems, using the guidance’s checklists as a tool. “The risk assessment should be on everything [where patient information may be],” Litten says. If you uncover a vulnerability, manage or resolve it.
- Incorporate the guidance into HIPAA training. “Because of its volume, use it in pieces for education,” Kline says.
- Use it as a quick reference source should an incident occur. It can help you determine what action to take and/or whether you need outside help.
- Ask an IT professional where your systems can be improved. “There’s nothing in [the guidance] that seems a huge expense, and improvements should be compatible to what the system has in place,” Litten says. For instance, adding a firewall may be as simple as activating a program within your existing computer systems.
- Focus on some of the recent HIPAA settlements. They show which of the cybersecurity threats has been on OCR’s front burner. — Marla Durben Hirsch (firstname.lastname@example.org)
Related link: View HHS’ voluntary cybersecurity guidance at https://bit.ly/2D7MRyE.