New Law Tells If You Are Doing “Enough” to Protect Your Patients’ PHI
Security is an endless road of evaluating risk and determining the most appropriate, riskless path. Sometimes the correct thing to do is to bring a wheelbarrow full of money and dump it onto a problem. But sometimes, after evaluating a risk, only a few dollars or perhaps none at all should be put against an issue. But when do you call it quits? How do you know if what you’ve done is enough?
Thankfully, the government just recently signed a bill that clearly states what “enough” is:
“RECOGNIZED SECURITY PRACTICES.—The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).”
- HR 7898
For those in the Cybersecurity world, a sigh of relief could be heard as the president’s pen met paper. As attackers continually make successful strikes against healthcare organizations adhering to the best of the recognized security practices, abundant fines seemed inappropriate, especially against floundering healthcare organizations grappling with the financial difficulties presented with COVID and previous payment changes.
With the directives present HR 7898 and the clear definition of recognized security practices, organizations who are protecting their patients’ information utilizing the best practices for 12 months before a successful breach will have a more fair judgment by HHS. Hundreds of thousands of dollars could be saved by organizations that are adhering to the recognized security practices.
At CE-Tech, we bring the recognized security practices to healthcare organizations to protect their medical device assets. Losing a single device could cost hundreds of thousands of dollars in fines, as it did to Lahey Memorial in 2011. Risk-averse organizations are protecting their assets, both IT and medical devices. Is that you? If you need help bringing down your risk and getting your organizations properly running and documented, call CE-Tech. We can help.