Health Information Cybersecurity Bill Signed

A New Health Information Cybersecurity Bill became law on January 6. The new law contained provisions that require that Secretary of Health and Human Services to recognize cybe security best practices when evaluating the conduct of HIPAA covered entities who are the victims of cyber attacks like ransomware and data theft. The new law should have a positive impact on the healthcare sector.

Being victimized by cyber attackers is always a devastating event. To add insult to injury, some cyber attack victims are later criticized or penalized by governmental regulators who, with 20/20 hindsight, conclude that the victim could have done a better job of protecting its data. Healthcare and education entities are especially vulnerable to regulatory punishment.

As one FBI expert with whom Nyemaster regularly works has said, there are two types of businesses in this nation, those that have experienced cyber security incidents and those that are going to. The new law implicitly recognizes that even when a regulated entity employs state of the art security measures, malicious actors may nevertheless perpetrate a security breach. The law specifically directs HHS to take into account recognized security practices, standards, guidelines, best practices and methodologies utilized by the healthcare sector. The law should allow regulators some flexibility in dealing with cybersecurity breaches.