HIPAA Law Incentivizes Adoption of Cybersecurity Leading Practices
Healthcare cybercrime is on the rise. As a result, Congress is seeking ways to help protect individuals’ personal data and information, including by encouraging healthcare organizations and businesses to adopt cybersecurity leading practices.
Congress recently passed a safe harbor law requiring that the Department of Health and Human Services (HHS) consider a healthcare organization’s established cybersecurity practices when reviewing HIPAA violations. If healthcare organizations have followed cyber leading practices, the law requires that HHS take that into consideration when determining the severity of potential penalties and the length of required audits. By confirming that cybersecurity controls are in line with industry standards — such as leveraging System and Organization Controls (SOC) reports — healthcare organizations and businesses can improve their chances of receiving a smaller penalty or an easier audit process.
Continue reading for more about what the law, H.R. 7898, means for healthcare covered entities.
How the Law Changes HHS’s Review of HIPAA Violations
H.R.7898 stipulates that in the event of a HIPAA violation, HHS is required to “consider certain recognized security practices of covered entities and business associates” when determining the length and outcome of an audit or the severity of any penalties or fines that may be imposed. Importantly, the law specifies that to qualify for this consideration, healthcare entities need to have had such security practices in place for at least the previous 12 months.
The law does not promise immunity from HIPAA liability when cybersecurity best practices are in place, nor does it allow HHS to impose more severe fines, penalties, or audits if best practices are not followed. The law does, however, offer the potential for milder penalties and shorter, less extensive audits if the entity can demonstrate that appropriate cybersecurity measures are in place. In this way, H.R.7898 incentivizes healthcare organizations to adopt or increase their investment in industry-standard cybersecurity practices.
Addressing a Pressing Issue
The new law shines a light on one of the most critical issues facing the healthcare industry today. Data breach statistics indicate a steady rise in incidents over the past decade. In fact, 2020 saw the most breaches since the HHS began compiling and publishing data in 2009. Between 2009 and 2020, thousands of breaches have resulted in the loss, theft, or exposure of some 268 million healthcare records.
Cyber criminals use various tactics such as ransomware, which is a malicious software, that infects a computer and holds it ‘hostage’. The malicious actor will then demand payment in order for the system and the data contained within it to become usable again.
While healthcare organizations strive to shore up key vulnerabilities, it can be challenging to keep current with the ever-changing methods of attack. The laws seeks to address this by incentivizing organizations to increase investment in cybersecurity for the benefit of regulatory compliance.
Validate Your Controls with a SOC for Cybersecurity Examination
One way healthcare covered entities and businesses can demonstrate the effectiveness of the processes and controls they have in place to detect, respond to, mitigate and recover from breaches and other security events is through a System and Organization Controls (SOC) for Cybersecurity examination.
Designed to keep pace with an increasing focus on mitigating and managing risk, the AICPA’s SOC for Cybersecurity risk management reporting framework – through which control specialists at The MFA Companies can issue a report – is intended to be used to effectively assess an organization’s cybersecurity risk management program. Information in the report can be used to help senior management, Boards of Directors, analysts, investors, and business partners gain a better understanding of an organizations’ efforts.
The SOC for Cybersecurity report includes three main components:
- Management’s Description: A written description of the organization’s cybersecurity risk management program, as outlined by management, with regard to how the organization manages risk and the policies and procedures in place to mitigate said risk
- Management’s Assertion: An assertion that addresses the effectiveness of the organization’s controls in meeting cybersecurity objectives either at a point in time or for a specified period of time
- Practitioner’s Report: An opinion attesting to (a) whether the organization’s description aligns to the description criteria and (b) if the controls in place are effective in meeting the specified cybersecurity goals
|MFA Observations: Cybersecurity Safe Harbor Laws Gains Momentum with State Legislatures
Following a wave of recent high-profile cyberattacks on U.S. infrastructure targets, the federal government is increasingly focused on the need to invest in cybersecurity as part of the current administration’s sweeping infrastructure proposal. This movement is also taking hold across the nation on the state government level.According to the National Conference of State Legislatures, in 2021, at least 45 states and Puerto Rico have introduced some 250 bills or other legislative actions addressing all aspects of cybersecurity — from education and training to establishing formal policies and practices to combat cybercrime. In 2016, California set the bar by offering a definition of what constitutes reasonable security and calling for all organizations that collect and store personal information to meet that threshold. In 2018, Ohio reached another milestone by being the first state to enact safe harbor guidelines for entities affected by a data breach. Utah followed suit in March 2021, and Connecticut now has the same issue pending on its legislative docket.As cybersecurity legislation continues to gain momentum with state lawmakers, pressure is mounting for governments, industries, corporations, and stakeholders of all types to adopt and demonstrate a commitment to comprehensive cybersecurity protocols.
Please connect with a member of MFA’s Cybersecurity Team to discuss how best to enhance your organization’s cybersecurity practices.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented is believed to be factual and up-to-date; however, MFA makes no guarantee as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.