Cybersecurity Policies
While the HIPC has not been updated since 2018, a review of recent data breaches in healthcare suggests that the identified threats are still relevant. For example, a 2019 study by the Journal of American Medicine of 95 simulated phishing campaigns at six US health care institutions noted almost one in seven test emails sent were clicked by employees [4]. And recently, a ransomware attack affected 250 Universal Health Systems facilities taking their systems offline for almost a week [5]. These reports agree with the 2020 HIMSS Cybersecurity Survey, which noted the top security events included phishing events, harvesting and ransomware [6].
Other Programs and Processes
Thursday, January 14, 2021
On January 5, 2020, President Trump signed into law H.R. 7898. This new statute amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Department of Health and Human Services (HHS) to consider efforts by HIPAA covered entities and business associates to implement “recognized security practices” when assessing fines or penalties under the HIPAA Security Rule.
The statute provides that if a HIPAA covered entity or business associate can demonstrate compliance for the previous twelve months with “recognized security practices,” then that entity may benefit in the following scenarios:
1. mitigation of fines related to a HHS investigation resulting from a security incident;