Cybercriminals’ agendas are clear: attack, breach and repeat. They’ll try nearly any tactic, from phishing to ransomware, to meet that target. So, how are broad, static government regulations like the Health Insurance Portability and Accountability Act (HIPAA) expected to keep up? Bottom line—they aren’t, and they won’t.
No industry is immune to having its systems compromised. However, health care organizations have increasingly become bullseyes for cyber incidents, particularly with the expansion of electronic records and digital patient services. These growing vulnerabilities have reinforced the industry’s need to shift its approach to cybersecurity from compliance to risk management.
Since HIPAA was signed into law in 1996, and long before, protecting patient data has been a top priority for health care entities. The importance of maintaining HIPAA compliance is hammered in by these organizations’ leadership and IT teams, often citing the looming threat of civil and criminal penalties if they fail to do so.
So, when regulatory updates like the Health Information Technology for Economic and Clinical Health (HITECH) Act occur, impacted organizations take note. Despite the heartburn federal announcements like these typically cause, many HIPAA rule changes aren’t anything significant. Generally, they’re minor tweaks to how sensitive personal information is exchanged and shared, not sweeping government mandates.
Health care entities should recognize HIPAA as a valuable resource for developing their cybersecurity policies. But they should also understand that the rules are a launchpad, not the rocket that will get them where they want to go. If organizations only check the boxes to maintain HIPAA compliance, they will leave their systems and patients exposed to potential risks.
To better safeguard their systems, entities should focus on risk management.
Fortunately, there’s a financial incentive to do just that. Under an amendment to the HITECH Act, the U.S. Department of Health and Human Services must consider covered entities’ implementation of recognized security practices (RSPs) when determining potential fines, audit results and other HIPAA violations—no matter their state of compliance. The result, Congress hopes, is that organizations have stronger, more strategic cybersecurity programs.
Again, these RSPs—industry-aligned standards, guidelines, best practices and more—are designed to serve as jumping-off points. Following a thorough risk assessment, entities should select the category of RSPs that work best for their organizations and modify them to meet their threat landscapes. By deploying RSPs that address the vulnerabilities unique to their operations, they can prevent potential incidents and be better positioned if or when these situations occur.
As any cybersecurity expert will tell you, making this transition will take time and resources. It will also require that entities stay up to date, ideally reviewing their cybersecurity policies and practices at least annually or with significant operational changes. But the return—more robust protection against cyberattacks—is worth the upfront investment.
In the years to come, Congress will likely make more changes to HIPAA. And that’s a good thing as the digital world changes—and quickly. A risk management-based approach to cybersecurity will allow health care organizations to maintain continued compliance with HIPAA while ensuring greater resiliency in the face of ever-evolving threats.
Christopher Wright is co-founder and partner at Sullivan Wright Technologies, an Arkansas-based firm providing tailored cybersecurity, IT and security compliance services. For more information, visit swtechpartners.com or email chris@swtechpartners.com.