April 14th, 2021 by William Wentowski
This January, the HIPAA Safe Harbor Bill became law, and it's changing how all medical practices and healthcare organizations need to approach their cybersecurity. Here's what the law does and how it can affect your business:
HIPAA Safe Harbor Law
This new law requires that the Department of Health and Human Services (HHS) take into consideration whether "recognized cybersecurity practices" have been implemented in the past 12 months when investigating data breaches. The government has realized that even organizations implementing the best security practices last year could not prevent a cyberattack. As a result, the HHS now takes the following factors into account:
- Cyber Security measures must be considered when calculating fines rather than issuing disciplinary actions and penalties for an unpreventable attack.
- If it's determined that the impacted entity meets the industry-standard best security practices, HHS is required to decrease the extent and length of an audit.
- Organizations found not to be in compliance with the NIST guidelines or the Cybersecurity Act of 2015 can not have fines or audit lengths increased.
What It Means for You
This law means more lenience regarding fines or other enforcement actions following cyberattacks for health care organizations. However, this only applies if your practice has met all the basic technical safeguard requirements. You have to be able to demonstrate that industry-standard security measures were implemented for 12 months to be covered by the law; otherwise, the fine you receive will still be rather heavy if a data breach occurs.
How BTS Can Help
How can your business get the protection that meets the "recognized cybersecurity practices" requirements for the HIPAA Safe Harbor Law? BTS offers cybersecurity solutions for medical practices that specifically meets the National Institute of Standards and Technology (NIST) Framework this law requires. Unlike competitors who break up or offerings into multiple pieces. We offer a holistic approach to cybersecurity.