As the hockey great Wayne Gretzky relayed, “I skate to where the puck is going to be, not where it has been.”
These words were relayed to Gretzky by his father and they are equally applicable to cybersecurity management – look to the future to stay ahead of the curve. An article that recently read mentioned “four lines of sight” that should be used throughout a business cycle:
- Oversight – includes fiduciary thinking and assessing vulnerabilities and threats that an organization (whether large or small) may encounter;
- Insight – considered generative thinking, it’s an individual sharing or challenging a certain course of action;
- Foresight – this is where the “puck analogy” comes into play – understand the threats and trends while looking ahead to the future; and
- Hindsight – reflecting on the past, whether an individual incident or strategy, in order to learn something and make changes.
Let’s apply these concepts to H.R. 7898, which was signed into law on January 5, 2021, which addresses the recognition of security practices and amends the HITECH Act – kind of.
H.R. 7898 amended the HITECH Act (42 U.S.C. §17931, et seq. by adding Section 13412:
(a) In General.—Consistent with the authority of the Secretary under sections 1176 and 1177 of the Social Security Act, when making determinations relating to fines under such section 1176 (as amended by section 13410) or such section 1177, decreasing the length and extent of an audit under section 13411, or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may—
- (1) mitigate fines under section 1176 of the Social Security Act (as amended by section 13410);
- (2) result in the early, favorable termination of an audit under section 13411; and
- (3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.
(b) Definition And Miscellaneous Provisions.—
- “(1) RECOGNIZED SECURITY PRACTICES.—The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).
- “(2) LIMITATION.—Nothing in this section shall be construed as providing the Secretary authority to increase fines under section 1176 of the Social Security Act (as amended by section 13410), or the length, extent or quantity of audits under section 13411, due to a lack of compliance with the recognized security practices.
- “(3) NO LIABILITY FOR NONPARTICIPATION.—Subject to paragraph (4), nothing in this section shall be construed to subject a covered entity or business associate to liability for electing not to engage in the recognized security practices defined by this section.
- “(4) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the Secretary’s authority to enforce the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate’s obligations under the HIPAA Security rule.
The express language of the amendments highlight the nexus between the recognized security practices, NIST, and HIPAA. If we harken back to the Final Omnibus Rule (78 Fed. Reg. 5566, 5575, 5647 (Jan. 25, 2013), NIST is mentioned, along with HIPAA and the HITECH Act. If organizations would have applied the four concepts above to HIPAA and cybersecurity compliance, perhaps the following would have been gleaned:
- Oversight – looking at the industry best practices, were NIST standards, as well as the Security Rule requirements being utilized in annual risk analysis;
- Insight – perhaps somewhere along the way, an individual raised the issue of using NIST standards or challenging the technical, administrative, and physical safeguards which were in place;
- Foresight – after reading the Omnibus Rule nearly 8 years ago and seeing the cross-walk posted on the HHS website, it is likely that an organization could have anticipated H.R. 7898 and got ahead of the curve; and
- Hindsight – if a security incident occurred or if gaps were found in the annual risk analysis, what steps were taken to correct the deficiencies?
In cybersecurity, as in life, a holistic approach, which includes reflecting on the past, being present today, and looking ahead to anticipate changes, trends, and threats, should be utilized. Failing to see “where the puck is going” can result in a losing strategy and increased risk for non-compliance with HIPAA and the HITECH Act.
About the Author
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.