In the midst of Cybersecurity Awareness Month, it is important to consider how you are handling your security, and if there have been changes in the law that require you to adjust your strategy. Although HIPAA has not undergone any significant changes recently, there have been several developments, such as large-scale breaches, that have caused the government to look more closely at how cybersecurity in healthcare has been handled in the past, and how healthcare organizations can improve their security now. To provide guidance to healthcare organizations on recent development in security, cybersecurity trends in healthcare is discussed below.
Why is Cybersecurity So Important in Healthcare?
Earlier this year, Black Book Market Research conducted a study into the cybersecurity climate, surveying 2,464 security professionals from 705 healthcare organizations. The purpose of the study was to uncover security gaps and vulnerabilities that leave organizations susceptible to healthcare data breaches.
While breaches have continually grown throughout the years, the study uncovered concerning cybersecurity trends in healthcare. According to the data collected, there was a 300% increase in vulnerable healthcare organizations as compared to 2020, with 60% of surveyed healthcare organizations (1,500 organizations) considered prime targets for large-scale data breaches affecting 500 or more patients. Black Book Market Research has also predicted that healthcare breaches are likely to triple in the coming year. So with healthcare organizations as a prime target, cybersecurity in healthcare has become increasingly important.
Cybersecurity Trends in Healthcare: HHS Cybersecurity Guide
In May 2017, the HHS formed a Task Group focused on building a set of voluntary, consensus-based principles and practices to improve cybersecurity in the health sector. The Task Group was formed in response to the growing cyber threats against the healthcare industry to provide guidance to healthcare organizations on how they can better secure protected health information. Through this, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” was published.
The guidance in the document:
- Examines current cybersecurity threats affecting the HPH sector;
- Identifies specific weaknesses that make organizations more vulnerable to the threats; and
- Provides selected practices that cybersecurity experts rank as the most effective to mitigate the threats.
To read the full document, please click here.
Cybersecurity Trends in Healthcare: HR 7898
On January 5, 2021, legislation was signed into law known as HR 7898. HR 7898 requires the Department of Health and Human Services (HHS) to incentivize healthcare organizations’ cybersecurity best practices. In essence, should a healthcare organization be breached and an investigation into their HIPAA compliance ensues, the HHS would consider whether or not the organization implemented “recognized security practices” prior to the occurrence of the breach.
HR 7898 defines “recognized security practices” broadly, to mean:
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
- Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA.
Healthcare organizations that can prove that they implemented a recognized cybersecurity framework will be given technical assistance from the HHS, rather than being subjected to costly HIPAA fines.
Cybersecurity Trends in Healthcare: NIST Cybersecurity Guide
In 2008, the National Institute of Standards and Technology (NIST) published guidance for how healthcare organizations were expected to implement HIPAA Security Rule requirements. Although the guidance was sufficient at the time, NIST has seen the need to update their guidance to account for new threats to healthcare cybersecurity. The current NIST Cybersecurity Resource Guide is designed to educate readers and amplify their awareness of resources relevant to the Security Rule, and provide detailed implementation guidance for covered entities and business associates. This guide was meant to simplify HIPAA Security Rule requirements to make it easier for healthcare organizations to understand, however, with the passing of HR 7898, NIST has determined that a more detailed guide would be beneficial. The new guide is still under development.
