Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
July 31, 2023
A colleague asked me recently, “HIPAA was written 25 years ago. Why are we still talking about it today?”
This is a complex question requiring some context to answer. The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 and applies to covered entities (CE). However, numerous amendments and subsequent regulations have expanded upon or changed how HIPAA enforcement works.
After HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH) arrived in 2009 as a part of the American Recovery and Reinvestment Act (ARRA). HITECH rewards providers for using electronic medical records (EMR) systems, but the act also enhances the controls for electronic protected health information (ePHI). HIPAA came out when providers were using paper records, and the rule was written to manage privacy in a paper-dominated world. As computers and electronic records took over, modifications were needed. Concepts like auditing and monitoring, as well as access logs and encryption, were introduced. There was also an increased use of business associates (BA), the subcontractors or vendors who process protected health information (PHI) on behalf of the covered entity. Business associates proved valuable in promoting the use of business associate agreements (BAA) to communicate the intent of the covered entity and require that the BA introduce the same controls as the CE.
In 2013, the Department of Health and Human Services (HHS) passed the Omnibus Rule. This rule enables the Office of Civil Rights (OCR), which enforces HIPAA/HITECH, to fine BAs in addition to CEs. The Omnibus Rule also strengthens patients’ rights by requiring specific abilities to access and restrict disclosure of their PHI.
Most important to cybersecurity is HIPAA’s Breach Notification Rule, which mandates that CEs and BAs notify and report to the Secretary of Health and Human Services any breaches of unsecured, protected health information affecting over 500 people. This regulation is one contributing reason that the health care industry has the highest number of reported data breaches.
The Cybersecurity Information Sharing Act of 2015 (CISA) section 405(d) intends to strengthen the cybersecurity posture of health care and public health. In 2017, empowered by CISA, the Department of Health and Human Services established the 405(d) task group, including health care thought leaders, to provide cybersecurity guidelines to protect PHI. The task group researched the most common cybersecurity security threats and published the Health Industry Cybersecurity Practices (HICP), a set of best practices to cost-effectively reduce cybersecurity risks for all types and sizes of health care organizations. These threats and associated industry recommended practices are the desired minimum controls that a covered entity should implement to protect patients.
The last piece of the puzzle is a 2021 amendment to the HITECH Act, which enables reduced penalties for BAs who have implemented “Recognized Security Practices” (RSPs). The Office of Civil Rights (OCR) will consider an organization’s established RSPs for the past 12 months during their audit review and penalty enforcement processes. A 2022 OCR video outlines RSPs as either part of the NIST Cybersecurity Framework (CSF) CSF or approaches documented under section 405d. That is why HIPAA continues to be a hot topic today!
Optiv is a strong proponent of implementing a security framework to simplify IT risk identification, assessment and monitoring. When used in conjunction with regulations like HIPAA/HITECH, this framework helps safeguard an organization's data against threats and vulnerabilities by providing the supporting structure needed to protect internal data against cyber threats and vulnerabilities. Therefore, Optiv recommends that all health care organizations evaluate either the NIST CSF or HICP and implement one of these two recognized security practices to reduce risk of HIPAA fines.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
June 05, 2023
Four U.S. states passed new consumer privacy laws in April and May of 2023. Learn key trends and distinctions in these laws.
January 16, 2024
Organizations build trust around how they collect, use and share data by providing consumers with better transparency, choice and control.
May 10, 2023
The amended Safeguards Rule developed by the Federal Trade Commission (FTC) takes effect in June 2023. See how your business can ensure compliance.
Let us know what you need, and we will have an Optiv professional contact you shortly.