(HIPAA series #4)

Introduction

A fundamental part of working within the healthcare industry is ensuring that the data and information you handle is protected from unauthorized access or loss. You are responsible for that protection, and it can be a heavy burden. Below, we will detail some of the laws, regulations, and resources that can help ease the burden of maintaining cybersecurity and the purpose of those laws. Be aware, however, that other items might be required of you within your states or if your organization works across international borders.

In the United States (and abroad, for that matter), laws and regulations inform persons and organizations of those requirements that they must follow to protect themselves from legal or financial repercussions. They also can be designed to assist in your endeavors to promote your business or organization as a secure and thoughtful practice. By following the rules and regulations, you give your patients and clients the understanding that while you might be working for profit, you also are concerned about protecting them and their personal health information.

Be advised that some of the items listed are for reference only, as they provide context and potentially could offer more depth to your organizational protections that aren’t strictly required.

Common US federal laws and regulations:

Let’s start with some of the most common laws and regulations you might need to consider.

• The Health Insurance Portability and Accountability (HIPAA) Act of 1996 (updated):
  • A law that required the Secretary of the US Department of Health and Human Services to set standards to protect the privacy and security of certain health information and electronic health records. HIPAA covers both technical and non-technical safeguards (Office for Civil Rights).
  • [Please link to HIPAA blog post here]
• The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009:
  • HITECH promotes the ‘adoption and meaningful use of health information technology. (Office for Civil Rights). It also strengthens enforcement provisions and defines penalties for violations and breaches.
  • [Please link to HITECH blog post here]
• Internet of Medical Things Resilience Partnership Act of 2017:
  • A bill to create a working group led by the Food and Drug Administration (FDA) to “recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices… (US Congress).” Federal, as well as industry and academic representatives, will be members of the committee.
• Medical Device Cybersecurity Act of 2017:
  • Amendment to the Federal Food, Drug, and Cosmetic Act provides cybersecurity protections for medical devices. It creates a cybersecurity report card requirement for manufacturers of medical devices which use the Internet or network access, external drives/media, or any other cyber capability. It enables notification procedures for providers and patients, free updates and fixes for a specified time, and allows the Industrial Control Systems Cyber Emergency Response Team to investigate vulnerabilities and coordinate device-specific responses (US Congress).

Resources:

The resources here may assist you when you or your organization are working to improve or enhance your cybersecurity protections internally. 

• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF):
  • A “voluntary framework of standards, guidelines, and practices to promote the protection of critical infrastructure. (National Institute of Standards and Technology)”
  • [Please link to CSF blog post here]
• Health Information Trust Alliance (HITRUST): https://hitrustalliance.net/
  • Cybersecurity framework items available for download, as well as other resources and information
• Department of Health and Human Services Cybersecurity resources: https://asprtracie.hhs.gov/technical-resources/86/Cybersecurity/86#Legal-Regulatory-Resources
• Office for Civil Rights (OCR): HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework 
  • Help in understanding how to implement HIPAA using the CSF and what sections of HIPAA relate to the controls within the CSF. It also shows references to other regulations and models for cybersecurity, allowing you to obtain more information.
• Office of Civil Rights (OCR): Fact Sheet, Ransomware and HIPAA
  • Information about what ransomware is and how it might affect your HIPAA compliance, protect from infection, and recover from infection if one does occur.
• Office of the National Coordinator (ONC)/HHS Security Risk Assessment Tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
  • A tool that can allow you to conduct mandatory risk assessments required by HIPAA.
• Food and Drug Administration (FDA) Draft Guidance: Postmarket Management of Cybersecurity in Medical Devices
• FDA: Premarket Management of Cybersecurity in Medical Devices

Northstarr Recommendations

Navigating the laws, regulations, methods, and recommendations for securing your data and organization is not an easy or quick task. Northstarr System Solutions, Ltd. provides you with the tools and expertise to move as quickly as possible toward your goal of security and protection. Our assessment process can give you insight into your present security posture and provide the path forward that you will need to certify your HIPAA compliance. Patients, clients, and the public appreciate knowing their information is safe and secure with you. Let us help you get there!