Reduce OCR enforcement: Get recognized cybersecurity practices in place

7 minute read

Cybersecurity has continued to evolve across all public and private sectors that rely on digital personal information. This would typically be patient information in American healthcare under the U.S. Department of Health & Human Services (HHS) purview. HHS has taken a leadership role in coordinating efforts to align industry cybersecurity practices, which will strengthen defenses against ever-increasing (external and internal) cyberattacks. A new amendment to Health Information Technology for Economic and Clinical Health (HITECH) Act provides regulatory enforcement incentives to entities that use (for at least 12 consecutive months) recognized security practices, to be subsequently discussed.[1] These incentives target covered entities and business associates subject to the HIPAA Security Rule. HHS recommends adopting recognized cybersecurity practices that can reduce liability under regulations already in effect—particularly the HIPAA Security Rule—but stop short of being safe harbors or providing formal regulatory relief.

As ransomware and other forms of malware and cyberattacks have increased, there have been several initiatives from the US government and the private sector to combat these trends. Rules have been issued, education content released, reminders circulated, and notices of enforcement for failure to adequately institute protective safeguards ramped up.

Federal agencies such as the Office for Civil Rights (OCR) and the Federal Trade Commission, among many others, have increasingly offered content such as educational materials while at the same time pressing enforcement actions meant to show that the regulators are serious about compliance with their rules. These actions use regulatory enforcement as incentives to tighten IT security to better arm these businesses to fight what has become, in essence, cyberwarfare between many bad actors, including those that are state-sponsored or protected and the vast numbers of healthcare providers, payers, exchanges, and networks. Added to those issues is the problem of insiders within the systems with protected or sensitive information who are malicious in intent.

This document is only available to members. Please log in or become a member.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field