Navigating the New HIPAA “Safe Harbor”

In 2020, the American Health Information Management Association (AHIMA), the American Medical Association (AMA), the College of Healthcare Information Management Executives (CHIME), and the Medical Group Management Association (MGMA) voiced strong support for HR 7898 in the 116th Congress. This bill amended the Health Information Technology for Economic and Clinical Health (HITECH) Act, which requires the US Department of Health and Human Services (HHS) to incentivize cybersecurity best practices intended to meet HIPAA requirements. The bill was signed into law January 5, 2021, and is now referred to as Public Law No. 116-321.

These organizations, representing the nation’s clinicians, hospitals, health systems, and foremost experts in health informatics and health information management, voiced their collective opinion in the letter, saying: “This will incentivize the adoption of cybersecurity practices by acknowledging that providers who have been acting in good faith should not be penalized by OCR and promote increased communication between providers and HHS during the crucial early stages of an attack.”

This is welcome relief. During 2020, HHS’s Office for Civil Rights (OCR) imposed more HIPAA violation penalties on covered entities (CE) and business associates (BA) than any other year previous.

In 2015, Congress passed the Cybersecurity Act, which included a provision known as Section 405(d). The intent of the provision was to form a Task Group, or the “Section 405(d) Task Group,” comprised of diverse stakeholders including cybersecurity and privacy experts, healthcare practitioners, health IT organizations, and other subject matter experts.

The healthcare industry may find leadership and governance that will prevent breaches through effective cybersecurity techniques, tactics, and procedures produced by the 405(d) group. Julie Chua serves in the Governance, Risk Management, and Compliance (GRC) Division within the US Department of Health and Human Services (HHS) Office of Information Security (OIS) and is the public co-lead on the 405(d) Task Group,

“The 405(d) program is focused on providing the Healthcare and Public Health (HPH) Sector with useful and impactful resources, products, and tools that help raise awareness and provide vetted cybersecurity practices, which drive behavioral change and move toward consistency in mitigating the most relevant cybersecurity threats to the sector,” Chua says.

She continues, “The pass[age] of HR 7898 not only highlights the work of the 405(d) Task Group and all of its efforts, but it is also another step forward in encouraging HPH entities to continue to focus on cybersecurity practices that will help protect their organizations and their patients. Cyber safety is patient safety.”

State of Cybersecurity in Healthcare

Providers continue to be the most targeted sector for cyberattacks, accounting for 79 percent of all reported breaches. In 2019, the US was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted 764 healthcare providers. Since November 1, 2020, there has been an increase of over 45 percent in the number of attacks seen against healthcare organizations globally, compared to an average 22 percent increase in attacks against other industry sectors. Ripple20 is a set of 19 vulnerabilities, discovered in 2020, affecting hundreds of millions of connected devices, including connected medical devices. A remote attacker can exploit these vulnerabilities to take control of an affected system, giving them access to a hospital’s entire network from anywhere. The bad guys aren’t going away.

The Cybersecurity and Infrastructure Security Agency (CISA), a federal agency under the US Department of Homeland Security, encouraged users and administrators to mitigate the Ripple20 risks by updating to the latest stable version of Treck IP stack software (6.0.1.67 or later). Unfortunately, the majority of hospitals don’t adequately account for all devices on the network, not to mention subsystems within a medical device. Unbelievably, hospitals are still struggling to identify devices running Windows 7, which was discontinued in January 2020.

Hospitals are working hard to prevent breaches, but they still occur. Healthcare information security teams work tirelessly to protect and detect, and information technology builds and maintains insanely complex infrastructures. Compliance departments pore over details, ensuring everything done meets or exceeds the necessary requirements. But is all of this effort to increase compliance and reduce risk being invested in best practices?

Safe Harbors

St John’s in Newfoundland, Canada, is the most northeastern point on the North American continent and touts one of the world’s most perfectly formed natural harbors. The harbor has been used by military and international ships needing protection against destructive storms, dangerous seas, and relentless enemies for hundreds of years. The entrance to St. John’s Harbor is bordered, north and south, by the steep rock walls of Signal Hill, fortifying a refuge for ships in the harbor.

A “safe harbor” is defined by Webster’s Dictionary as something (as a statutory or regulatory provision) that provides protection (as from penalty or liability). Does conduct, as defined by a given rule, automatically protect you from noncompliance? Safe harbors are not always a panacea and can be misconstrued. Many people in the industry are rushing to call HR 7898 a safe harbor.

HHS has used the term safe harbor to convey very specific regulations or methods of compliance. While the spirit of this new law meets Webster’s definition, I do not believe that HHS has classified any portion of this law as a safe harbor … yet. Until they do, it would be prudent to avoid the use of that term when discussing this new law.

Here are three existing safe harbors as related to HIPAA as comparisons:

1. Method of De-Identification

There are currently two methods that can be used to satisfy the Privacy Rule’s de-identification standard: expert determination and safe harbor. The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.

2. Rendering Unsecured Protected Health Information (PHI) Unusable

HIPAA breach notification guidance on rendering unsecured PHI unusable, unreadable, or indecipherable to unauthorized individuals is sometimes referred to as a safe harbor. Compliance requires one of two methods apply: electronic PHI has been encrypted as specified in the HIPAA Security Rule, or the media on which the PHI is stored or recorded has been destroyed. The National Institute of Standards and Technology (NIST) provides compliant processes.

3. Cybersecurity Technology and Services

Under the Anti-Kickback Statute, there are many safe harbors. Recently, the HHS OIG has finalized a new cybersecurity technology and services safe harbor to help improve cybersecurity in healthcare. The new cybersecurity safe harbor applies to nonmonetary donations of certain cybersecurity technology and related services that are necessary and used predominately to implement, maintain, or reestablish effective cybersecurity.

Not If, But When

Each organization needs to examine their unique environment and apply practices that have been proven effective. They need to collaborate in choosing the security controls that best address the vulnerabilities in their ecosystem. Striving for 100 percent compliance won’t guarantee security, and 100 percent security doesn’t ensure compliance. But striving with 100 percent effort should not be penalized either.

Healthcare delivery organizations (HDOs) protect the ingress and egress of their networks, but highly motivated bad actors across the world are financially motivated to cripple HDO operations and steal valuable electronic medical records. Advanced persistent threats (APTs) will inevitably bypass perimeter security.

HDOs are willing to navigate to whatever safe harbors are recommended but, as it turns out, some are more effective than others. Through this legislation, Congress has now highlighted recognized cybersecurity practices that it believes will decrease risk to patients and health systems. Implementing them will now allow consideration for protection from penalties or liabilities imposed by the HHS OCR as a result of an adverse cyber event.

New Law: Recognition of Security Practices

HR 7898 amends the HITECH Act, and its primary purpose is to incentivize CEs and BAs to adopt recognized cybersecurity practices, produce demonstrable results, and embrace components from the best frameworks found within the healthcare industry. Under the law, when making determinations regarding fines for failure to comply with HIPAA requirements and standards or for wrongful disclosure of individually identifiable health information, the Secretary of HHS will have the ability to consider whether the covered entity or business associate has adequately demonstrated that for at least 12 months that it engaged in “recognized security practices.” Providing such flexible authority will allow HHS to consider a mitigation in fines, result in an early favorable termination of an audit, or mitigate remedies that would otherwise be a part of a corrective action plan for violation of the HIPAA Security Rule.

Recognized security practices are defined within this law as “voluntary, consensus-based, industry led-standards, guidelines, best practices, methodologies, procedures, and processes developed by the National Institute of Standards and Technology (NIST), approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.”

National Institute of Standards and Technology

Most individuals in healthcare information management leadership positions are familiar with NIST and its publications, most notably the Cybersecurity Framework, which is utilized in over 75 percent of HDOs. Unfortunately, it is not always used effectively. HIPAA audit results from 2016 and 2017 revealed nearly 80 percent of audited CEs and BAs demonstrated less than adequate risk management and risk analyses. To date, the HHS OCR still finds a “lack of thorough risk analysis” in a high percentage of its investigations.

Less known is the NIST Privacy Framework. With the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) finalizing interoperability and information blocking rules, privacy is undoubtedly going to take center stage in 2021. This NIST framework may become key in meeting compliance requirements and integrating with current cybersecurity activities already instituted in an organization. Will this law apply to privacy too?

Aligning Healthcare Cybersecurity – Section 405(d)

Section 405 of the Cybersecurity Act drove a national risk assessment of our nation’s health industry, including a report from the Health Care Industry Cybersecurity (HCIC) Task Force and recommendations of industry best practices to mitigate those risks. Those best practices for small, medium, and large organizations are found in the four-part series entitled, Healthcare Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HCIP).

CHIME touted this 405(d) publication. A CHIME spokesperson says, “We recommend OCR create a safe harbor for providers who have demonstrated they are meeting a set of best practices such as those developed under the public-private effort known as the Health Industry Cybersecurity Practices, or HICP.”

Erik Decker is the private sector co-lead on the 405(d) Task Group and the CISO/privacy officer at the University of Chicago Medicine. “[PL 116-321], which is a fantastic step forward, will hopefully incentivize healthcare organizations to adopt better cyber,” he says. “In short, if you adopt the Health Industry Cybersecurity Practices (HICP), published under 405(d), you will not only make a meaningful step at protecting your patients and organization, but now once you’ve demonstrated you’ve adopted them for at least 12 months, it will be taken into consideration if a breach ever does occur. The HIPAA Security Rule still applies (and should always).”

“The importance of this law can’t be overstated,” says Russell P. Branzell, president and CEO of CHIME. “It moves us away from the punitive environment that victimized hospitals by acknowledging their work to better their cyber posture.”

Decker agrees, “In my mind, this is the perfect fulcrum between organizations being responsible and punishing the victim of criminals. If you aren’t doing cyber, you will be held accountable. If you are, you will be given relief. In my opinion, that is how this should be.”

Criminal enterprises will pursue strategies that deliver results. Ransomware attacks against CEs and BAs have obviously been proven to work. Given their success, the healthcare industry will continue to be heavily targeted in 2021. Unfortunately, bad actors growing their financial resources create organizations that can increase in both sophistication and frequency of their attacks.

Protecting patients, their data, and the organization are paramount for everyone in healthcare leadership. This new law has the potential to increase compliance, improve cybersecurity, and reduce financial risk. Whether it is eventually designated as a safe harbor or only serves to provide shelter from unjust additional penalties, hopefully healthcare executives will see the tangible benefits of embracing the proven cybersecurity best practices of NIST and the 405(d) Task Group.

“We continue to work with our HHS partners to identify impacts and approaches to ensure all of HHS is working together in response to this new legislation,” Chua says. “We hope that the 405(d) Task Group members are encouraged to continue to develop new resources and lend their voices to help define HPH sector cybersecurity best practices moving forward.”

Ty Greenhalgh (Ty@CyberTygr.com) is CEO at Cyber Tygr.