10 Mar Implement NIST CSF for a HIPAA Safe Harbor
Guest blog by Mike Semel, president of Semel Consulting
A new federal law plans to reward HIPAA covered entities and business associates for implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
The law provides ‘safe harbor’ from HIPAA data breach penalties and allows audits to be terminated early if an organization can demonstrate that it has implemented the government-recognized cybersecurity program for the previous 12 months.
The new regulations for HIPAA, HR 7898, were signed into law on January 5, 2021, but will need to go through rule-making processes before they take effect. However, because the mandate requires regulators to confirm that an organization’s cybersecurity programs have been in effect for the previous 12 months, covered entities and business associates can start implementing the controls now to take advantage of the reduced risk of fines and audits.
The NIST CSF is a joint effort between the government and private industry. The framework breaks down cybersecurity into five functions, 23 categories, and 98 subcategories (security controls). The security guidelines are more detailed and advanced than the vague, outdated HIPAA Security Rule’s 42 requirements that were written 20 years ago.
The NIST CSF is like a Swiss Army Knife for cybersecurity and compliance. It has been used as the basis for state data breach laws, industry oversight regulations, and other countries have also adopted the standard as well. An organization that implements the NIST CSF can use it as a single tool to comply with multiple requirements. For example, a healthcare provider in New York that accepts credit cards can use the NIST CSF to comply with all its cybersecurity requirements – HIPAA, the New York SHIELD Act, PCI-DSS, and its cyber insurance policy.
Though the new law rewards organizations for implementing a formal government-recognized cybersecurity program, it isn’t mandatory. If covered entities don’t implement the NIST CSF, they will be subject to existing penalties.
The key to success is not just establishing comprehensive cybersecurity, but also providing regulators with documented policies, procedures, and evidence for the previous 12 months that will pass stringent audits.
Compliance Manager helps you manage the entire compliance process from beginning to end and automates much of it. When you combine your IT knowledge with the workflow engine built-in to Compliance Manager, you have everything you need to begin offering a wide array of compliance services. Contact us to request a demo today.
About Mike Semel:
Mike Semel is a noted thought leader, speaker, blogger, and best-selling author. He is the president of Semel Consulting, focused on compliance regulations, cybersecurity, and Business Continuity planning. Mike has also developed Semel Systems, a series of cybersecurity and compliance training and go-to-market systems for MSPs. He is a Certified Business Continuity Professional, a Certified HIPAA Professional, Certified Security Compliance Specialist and co-author of the Certified HIPAA Security Professional (CHSP) certification course. He has owned or managed VAR and MSP technology companies for over 30 years, served as Chief Information Officer (CIO) for a hospital and a K-12 school district, and managed operations at an online backup company.