A new federal law plans to reward HIPAA covered entities and business associates for implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
The law provides ‘safe harbor’ from HIPAA data breach penalties and allows audits to be terminated early if an organization can demonstrate that it has implemented the government-recognized cybersecurity program for the previous 12 months.
The new regulations for HIPAA, HR 7898, were signed into law on January 5, 2021, but will need to go through rule-making processes before they take effect. However, because the mandate requires regulators to confirm that an organization’s cybersecurity programs have been in effect for the previous 12 months, covered entities and business associates can start implementing the controls now to take advantage of the reduced risk of fines and audits.
The NIST CSF is a joint effort between the government and private industry. The framework breaks down cybersecurity into five functions, 23 categories, and 98 subcategories (security controls). The security guidelines are more detailed and advanced than the vague, outdated HIPAA Security Rule’s 42 requirements that were written 20 years ago.
The NIST CSF is like a Swiss Army Knife for cybersecurity and compliance. It has been used as the basis for state data breach laws, industry oversight regulations, and other countries have also adopted the standard as well. An organization that implements the NIST CSF can use it as a single tool to comply with multiple requirements. For example, a healthcare provider in New York that accepts credit cards can use the NIST CSF to comply with all its cybersecurity requirements – HIPAA, the New York SHIELD Act, PCI-DSS, and its cyber insurance policy.
Though the new law rewards organizations for implementing a formal government-recognized cybersecurity program, it isn’t mandatory. If covered entities don’t implement the NIST CSF, they will be subject to existing penalties.
The key to success is not just establishing comprehensive cybersecurity, but also providing regulators with documented policies, procedures, and evidence for the previous 12 months that will pass stringent audits.