HIPAA’s HITECH Act Calls for a Best-Practice IT Risk Program

The HITECH Act, which amended the Health Insurance Portability and Accountability Act (HIPAA), prescribes that healthcare organizations should implement a best practice IT risk program that conforms to HHS/OIG guidance.

In order to improve privacy and security protections for healthcare data, HITECH incentivizes the adoption and use of health information technology by providers. In the event of a cyber event, institutions that have had a best practice in place for 12 months prior to the event will be offered leniency in terms of penalties.

Cyber risk is so great that even a robust healthcare compliance program requires a strong IT risk management program in order to provide comprehensive protection. That is the key takeaway from a SAI360 healthcare Compliance webinar. Watch it now or read the highlights below.

Compliance can only protect so far.

No healthcare entity wants to be fined for non-compliance with HIPAA and the HITECH Act, or face the consequences of a major cyber event that shuts down normal operations. If compliance with HIPPA alone was all that was required to protect providers, ransomware and data breaches would be rare occurrences. In reality, healthcare entities fall victim to ransomware more than any other critical infrastructure sector, and 2022 ranked as the second-worst-ever year in terms of the number of reported data breaches.

While regulatory compliance helps lower the risk of cybersecurity incidents, it does not include the frameworks, processes, risk identification and controls that come from a well-designed IT risk management program. Regulatory compliance alone will not be effective.

Healthcare attack surface gets bigger and bigger.

The rise of telehealth and increased digital transformation are increasing the size of the attack surface. Additionally, the explosion of IOT connected devices in both healthcare and industrial environments creates greater vulnerability. A successful entry to major systems via phishing or social engineering can give a ransomware actor great leverage to shut down significant life or mission critical systems. Imagine, as some hospitals have experienced, reverting to paper records and charts and not being able to admit new patients.

The playing field has changed. It is larger and more complex, providing cyber criminals with more opportunities for ransomware and large-scale patient data theft.

Third parties are often the weakest link.

Third parties account for half of all healthcare data breaches. Half of the ten largest healthcare data breaches reported in 2021 involved vulnerabilities introduced by vendors and business associates.

Addressing third-party risk calls for assessing your third parties’ cybersecurity programs and ensuring that business associates understand your IT risk policies. Regular assessments and audits can go a long way to shoring up a healthcare entity’s cyber defenses. Cybercriminals attack the weakest link. Do not give them one by contracting with a vendor or business associate that does not take cybersecurity as seriously as you do.

Technology can streamline and support IT security.

A Compliance healthcare platform can streamline and automate compliance, helps users manage vendors and business associates, facilitate the assessment and audit processes, and house a comprehensive IT risk management program. Preconfigured solutions are rapidly deployable.

The SAI360 platform equips organizations with a best-practice IT security program with multiple frameworks such as NIST CSF, NIST 800-53, ISO27001 and more. Users can track steps from assessments to completion and monitor risk scores to determine future action. An IT security program also goes beyond identifying risks and managing controls tied to assets. It also equips users to centralize a library of policies with automated record-keeping of authors, reviewers, and revisions. All information is organized in one single place. For those currently attempting to manage IT risk in spreadsheets, switching to a platform can be a game changer.

Employee training is a must for a best-practice IT security program.

Healthcare employees are often the entry point for cyber-related incidents. For example, someone clicks on a suspicious link in an email and becomes a victim of malware or ransomware. Or an employee has a laptop stolen from their car with patient data stored on it.

Training and cyber awareness are critical to turn the human element from root cause to the best firewall. Online courses equip employees to recognize suspicious emails and help them understand how to protect sensitive data. When everyone in the organization receives cybersecurity and data privacy training, you are one step closer to having a best-practice IT security program.

HIPAA and the HITECH Act are regulatory requirements that help provide your healthcare organization with cybersecurity defenses. However, healthcare entities need a more holistic and comprehensive approach to building a best-practice IT security program that protects their organization and their patients’ data.