Should HHS Offer Incentives for Cybersecurity Frameworks?AMA Proposes Exemption from HIPAA Risk Analysis for Doctors Who Use a Framework
Should federal regulators provide physicians with a free pass from having to conduct a HIPAA risk analysis or face a random HIPAA compliance audit if they implement a cybersecurity framework?
That's what the American Medical Association has proposed that the Department of Health and Human Services' Office for Civil Rights and Office of Inspector General consider in an effort to incentivize physicians and clinicians to take more robust cybersecurity steps.
While some security experts say the proposal is worth considering, others warn it could potentially weaken the cybersecurity efforts of some healthcare providers.
In a statement provided to Information Security Media Group, OCR says: "Cybersecurity frameworks can be useful tools to help organizations understand, communicate and manage cybersecurity risks; however, the use of such frameworks does not imply or guarantee compliance with the HIPAA rules."
HHS did not immediately respond to an ISMG request to comment on whether it's considering the proposal. But Laura Hoffman, the AMA's assistant director of federal affairs, tells ISMG that HHS appears "interested, but non-committal."
AMA presented its proposal to HHS within the last year, she notes, but it was spotlighted during a presentation on March 28 by Hoffman during an annual HIPAA summit in Virginia.
Risk Analysis Struggles
An AMA survey last year of 1,300 physicians with knowledge of HIPAA and cybersecurity procedures in their practices revealed that most respondents were highly concerned about cyberattacks and the potential impact to patient safety, Hoffman noted in her presentation. In addition, 83 percent of the respondents said they generally see the value of a security risk assessment, but they don't think HIPAA compliance is enough to truly address cyber threats.
Many physicians have struggled with security risk assessments, and weak risk analysis has been a common finding by OCR when it conducts breach investigations and HIPAA audits, Hoffman noted.
The AMA survey also found that 70 percent of physicians would be willing to pay an expert to implement a robust security framework if adoption meant that they would not be randomly audited for HIPAA compliance, Hoffman says.
AMA is proposing to HHS that because HIPAA utilizes a "reasonable and appropriate" standard for privacy and security controls, OCR should accept as "reasonable and appropriate" a physician's use of a cybersecurity framework to meet the clinician's obligation under HIPAA to conduct a security risk analysis and/or be exempt from random HIPAA security compliance audits, she says.
"We at the AMA are thinking that instead of imposing more regulations on physicians and other clinicians, why not think of positive incentives when it comes to cybersecurity?" Hoffman said in her presentation.
"If we know [physicians] care about cybersecurity and they want to ... protect patient safety, what are some positive ways to support that?" Hoffman asked. "HIPAA [compliance] isn't enough to address cyberthreats."
AMA doesn't oppose the HIPAA security risk analysis requirements, she tells ISMG. "They are important to protect patient data in this day and age," she says. "However, physicians have historically - and continue to - find the requirements confusing and are not security experts. Their focus is on patient care. That's why highlighting cybersecurity as a patient safety issue is important - it gives a meaning to the security requirements."
The AMA believes there needs to be an emphasis on incentives rather than prescriptive requirements, Hoffman says. "For example, help motivate docs to adopt cyber hygiene because it's good for their patients, not just because the government tells them to," she says.
"Let's allow doctors to utilize industry experts to help physicians keep patient data secure and encourage them to do so. HIPAA wants reasonable and appropriate actions to protect privacy and security - adoption and implementation of a framework should meet that bar. "
Some experts says the AMA recommendations are worth HHS's consideration.
"The idea that a particular approach [such as implementing a cybersecurity framework] would be deemed to constitute compliance with the security rule is certainly interesting," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"I suspect that is generally how things operate today in any event. This suggestion essentially says, 'If you do something that is reasonable and appropriate, we will conclude that you did reasonable and appropriate risk assessment'."
The proposal regarding safe harbors from random audits is potentially more difficult for regulators to implement, Nahra says. "It seems to assume that audit selection represents some kind of 'bad mark' against an audited entity, which generally has not been the case," he says.
"I'm not sure it would even be helpful - you would have to persuade OCR that you did reasonable and appropriate things to avoid being part of the overall audit program - whatever that will be in the future, if anything," he says.
Demonstrating to OCR that your entity should not be audited may even turn out to be tougher to achieve than undergoing an actual HIPAA compliance audit, he says. "It might actually expose you to more enforcement, since the audit process generally is an information gathering exercise, not an enforcement tool."
OCR is sending signals, however, that it may not conduct another round of HIPAA compliance audits (see No Slowdown for HIPAA Enforcement, But Audits Ending).
The Value of a Risk Assessment
Some observers aren't convinced that implementing a cybersecurity framework is a valid reason to avoid conducting a HIPAA security risk analysis.
"Having a framework in place does not preclude a risk assessment."
—Phil Curran of Cooper University Health
"They are two different documents, and having a framework in place does not preclude a risk assessment," says Phil Curran chief information assurance and privacy officer at Cooper University Health in Camden, New Jersey. "The framework provides an entity with the controls they need to have in place. The risk assessment provides an entity with an overall risk posture based on the implementation of the controls."
For example, a framework may state that an entity must have multifactor authentication, in place, he notes. "However, the entities risk assessment may show that having other mitigating controls in place provides an acceptable residual risk to the entity versus the expense of implementing MFA."
Curran also says that the AMA proposal could prove difficult for OCR to execute. "Who will verify the framework is in place?" he asks. And he notes that "adoption of a framework does not prevent a breach."
If the OCR were to adopt a "safe harbor" for those who use a framework, Curran says, "the only framework I could recommend is HITRUST. HITRUST is the only framework that I know of that takes the controls from over 25 regulations - HIPAA, Red Flag, PCI, NIST 800-53R4, NIST CyberSecurity Framework, ISO, etc. - puts them in one document and shows you the controls you need to implement based on the size of your organization."
The Limits of a Framework
OCR has already published a "crosswalk" between HIPAA and the National Institute of Standards and Technology's cybersecurity framework.
But in its statement, OCR tells ISMG that while implementing a cybersecurity framework is encouraged, it's not required - nor is adoption a compliance end-all.
"For example, users who have aligned their security program to the NIST Cybersecurity Framework should not assume that by so doing they are in full compliance with the HIPAA Security Rule," OCR says.
"Conversely, the HIPAA Security Rule does not require covered entities to integrate the Cybersecurity Framework into their security management programs. Covered entities and business associates should perform their own security risk analyses to identify and mitigate threats to the electronic protected health information they create, receive, maintain or transmit."
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, notes that not all frameworks being marketed to physician practices are proving to be effective in helping identify the threats and vulnerabilities to an organization's information systems. Plus, he says that to adopt the AMA's proposal, "HHS would likely need to change the HIPAA Security Rule regulation in order to change the current standard that requires performing an information security risk assessment."
With the rise of ransomware and other attacks, Holtzman says, "this is the wrong time to scale back the requirements for healthcare organizations to be performing risk assessments on the effectiveness of their information security efforts."
The AMA's proposal for allowing physicians who implement a cybersecurity framework to skip conducting a security risk analysis "is absolutely ridiculous," contends Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"It is clear that the caregivers proposing this do not seem to understand the purpose of a risk assessment, and how different that purpose is from the purpose of an information security framework," she says. "They should consider this: What if the HHS put out a statement that if the population followed a specific diet, they would never need to get tested for cancers, heart disease and other problems? Providers would say that is ridiculous, right? Because each patient is unique."
That approach, however, is similar to stating that if an information security framework is used then they do not need to assess the risks within the networks, applications, devices and systems used within healthcare providers' environments, Herold argues.
"A framework does not get into the nitty-gritty details for identifying and implementing the most appropriate tools, technologies, controls and processes to fit each unique environment," she says. "These are all different from one organization to the next, even if they are all using the same information security framework."