HHS publishes new guidance to help healthcare providers address cybersecurity risks

April 19, 20238 min

BY Rossanna J. Madrigal and Beth Anne Jackson, Brown & Fortunato

 

On March 8, 2023, the U.S. Department of Health and Human Services (HHS) released the Health Care and Public Health Sector Cybersecurity Framework Implementation Guide, Version 2 (the “Guide”). The Guide is a collaborative publication between the government and private sector that was developed by the HHS Administration for Strategic Preparedness and Response (ASPR) and the Health Sector Coordinating Council Cybersecurity Working Group. A statement published by ASPR explains that the guide serves as a roadmap for healthcare providers and private sector health organizations and is intended to: guide risk management principles and best practices; provide a common language to address and manage cybersecurity risk; outline a structure for organizations to understand and apply cybersecurity risk management; and identify standards, Legal Affairs author pic Jacksonguidelines, and practices to manage cybersecurity risk cost-effectively.

 

The Guide adopts a 2018 risk management model published by the National Institute for Standards and Technology (NIST) (the “Framework”). Through the Framework, organizations examine a series of questions targeted at identifying and addressing gaps in their cybersecurity protocols. Importantly, the Guide notes that it “is not intended to replace or subsume other cybersecurity-related activities, programs, processes, or approaches” that are currently in place at any healthcare organization, provider, or entity. Implementation of the Framework by the healthcare sector is optional, but in using the Framework, the Guide attempts to address multiple mandates and executive orders related to cybersecurity. The Framework can be adopted by a variety of sectors and has been adopted by a number of different organizations, including the City of Houston and the Texas Department of Information Resources.

 

As technology and the methods by which cyber attackers penetrate defenses are ever-changing and advancing, it is important to have robust and comprehensive cybersecurity protocols in place. The Framework consists of 7 steps: identify the essential activities to manage security and privacy risks; categorize the system and information processed, stored, and transmitted; select the set of NIST SP 800-55 controls to protect the system; implement the controls and document how they are deployed; assess the implementation to determine if the controls are in place, operating appropriately, and producing the desired results; secure the authorization of senior personnel for the system to operate; and continuously monitor the implementation and risks to the system. The Framework and Guide do not offer step-by-step instructions on what processes an organization should put in place. Rather, the Guide provides lists of inputs, activities, and outputs for each step of the implementation process that organizations can utilize to frame their goals and objectives for cybersecurity and to compare their existing protocols against the Framework to identify areas for improvement.

 

For healthcare providers, it is important to note that the Framework should operate in tandem with existing HIPAA protocols. Furthermore, the Framework alone is not intended to ensure compliance with a healthcare provider’s obligations as a covered entity under HIPAA. The Guide specifically offers guidance and modifications to the general Framework implementation that are applicable to healthcare providers, but this guidance is separate from the general requirement of covered entities to conduct a comprehensive HIPAA risk assessment. One of the main distinctions between the Framework and a HIPAA risk assessment is that the HIPAA risk assessment focuses on compliance with specific HIPAA requirements and is mandatory for all covered entities, while the Framework is holistic in its approach to examining an organization’s cybersecurity risks and its implementation optional. But addressing the larger questions asked through the Framework can help organizations identify and address gaps in their HIPAA security protocols, which can also help maintain compliance. For guidance on HIPAA risk assessments, NIST published a HIPAA Security Rule Toolkit that can be used to help an organization understand its obligations and implement protocols to maintain compliance with HIPAA. Also, the Office of the National Coordinator for Health Information Technology (ONC) published a downloadable Security Risk Assessment Tool that can be used to assess a covered entity’s compliance with HIPAA and identify gaps in existing HIPAA policies and procedures.

 

By implementing the Framework, organizations can establish a common language through which the organization can discuss and address cybersecurity risks on an enterprise-wide basis. Furthermore, the continuous review and assessment of the controls post-implementation help to identify and address risks and new gaps in real-time, which can have the added benefit of decreasing HIPAA security compliance risks and related liability. Lastly, the federal government has developed and published specific tools to assist with implementing the Framework with additional free resources for organizations looking to bolster their cybersecurity protocols. Regardless of the methods used by organizations to identify and address cybersecurity risks, it is essential for all healthcare organizations, and covered entities in particular, to maintain current, robust cybersecur

MJH footer logo with red letters

Medical Journal – Houston is the leading source of healthcare business news. With extremely relevant content, late-breaking news and monthly exclusives from industry experts, MJH News has created a winning combination of must-read editorial that physicians and hospital executives eagerly anticipate month after month. MJH News is the resource that provides everything they need in one place, and it is a high honor that they rely upon Medical Journal – Houston to keep their practice or hospital on the cutting edge.

Archives