The Healthcare & Public Health Sector Coordinating Council urged the National Institute of Standards and Technology to provide more resources tailored to lower resourced and smaller providers, which face unique challenges that require more support than other healthcare entities and typically struggle to quickly adopt new standards.
Ideally, NIST would create “an entirely separate document specifically for small and mid-sized entities that expresses in plain English why practicing good cyber hygiene is imperative for compliance, business operations and, ultimately care delivery and patient safety… with advice on what is needed to secure electronic protected health information and the implications for not doing so.”
The comments to NIST come in response to the July request for comment on a possible update to its Health Insurance Portability and Accountability Act Security Rule implementation guidance for ensuring the confidentiality and integrity of electronic protected health information like healthcare records, lab results, prescriptions, and vaccinations.
HIPPA compliance for small businesses
In its release, NIST explains the framework is meant to be used by a wide-range of healthcare entities. While HSCC notes the NIST document “is well written with numerous resources,” as it stands the framework is not easily adapted for smaller and/or less-resourced healthcare entities regulated by HIPAA.
The specialized guidance for these providers should also include insights on the 405(d)/HCIP resources designed specifically for smaller entities, potential mitigation of HIPAA Breach enforcement fines and/or audits available to entities that follow the NIST CSF, 405(d) HICP and other recognized security practices, and the benefits of using cybersecurity best practices, like business reasons and patient safety.
As HSCC notes, the problem is lower resourced providers “are ill-equipped to handle” the high level of detail provided by the NIST guidance. For HSCC, one of the “chief concerns with the publication is that it is trying to be all things to all entities. Or, said another way, it takes a one-size-fits-all approach.”
“The HIPAA security rule is designed to be flexible, and this document could be improved if it was clearer that - like the rule - there is no single approach that will work for all entities,” HSCC noted.
These sentiments echo earlier comments sent by healthcare stakeholder groups to the Department of Health and Human Services for their RFI examining the current state of security practices within the sector, based on HITECH.
In June, both AHIMA and MGMA noted the challenges with current guidelines and asked the agency to recognize the broad statutory definition of recognized security practice and support providers in choosing a recognized framework, rather than dictating specific practices. MGMA explained the move would reflect the “vast differences in the technical and financial capabilities between medical groups of all sizes.”
A tailored approach to cybersecurity
To AHIMA, Office for Civil Rights should lean on the HHS Workgroup’s Health Industry Cyber Practices (HICP) voluntary guidance, lauded in the industry as it was solely designed to be tailored to an organization’s specific need, including the size and provider type.
As HSCC stressed, “traditionally smaller and lesser-resourced entities are typically much slower to adopt standards, best practices and technology, and meet compliance deadlines.” Healthcare is one of the more heavily regulated industries, which presents its own challenges to entities, if they’re already in need of more resources or support.
In particular, many small entities are challenged with conducting risk assessments and risk management programs without additional help. And as cyberattacks among small providers continue to expand and with healthcare remaining a “target-rich environment,” it’s critical these entities receive more support.
“Neglecting that community poses a risk to the entire sector and to patient safety,” HSCC explained.
NIST should rely on the aforementioned 405(d), which was compiled with extensive research and partnership and with direct reference to the NIST Cybersecurity Framework. As such, NIST should use a similar model and direct smaller and lesser resourced entities to these tools.
In fact, the signing of H.R. 7898 into law on Jan. 5, 2020 was seen as a safe harbor for healthcare entities, as it would allow them smaller fines and shorten OCR audits for adhering to recognized security practices -- like the 405(d) and NIST.
“These tools are designed to improve the cyber posture of organizations of different sizes and abilities to align compliance with the existing HIPAA security rule framework…. and is scalable to guide smaller entities with a flexibility-by-design approach and without prescribing a single pathway to improving one’s cyber posture,” the group added.
Adhering to these tools supports an effective security program and can help healthcare entities ensure compliance with HIPAA, while “improving cyber hygiene can improve patient safety.” When it updates its guidance directed to the healthcare sector, NIST should use the tool to further education on this issue, “especially for smaller and under-resourced providers, around the multiple benefits and importance of making this investment.”
HSCC makes a number of other much-needed recommendations to NIST on the guidance, with a keen focus on medical device security needs and further breakdowns of terminology to ensure those without security leadership understand needed security elements.