Showing Evidence of 'Recognized Security Practices'Robert Booker, Chief Strategy Officer of HITRUST, on Providing Proof to Regulators
Federal regulators say they will consider the "recognized security practices" - or RSPs - implemented by healthcare businesses when making HIPAA enforcement determinations. Any medical clinic or business associate counting on that consideration should be prepared to show proof that backs up their claims, says Robert Booker, chief strategy officer of HITRUST.
"You've got to demonstrate that you align with a framework and show evidence that those RSPs have been active and consistently in use for 12 months or more across the entire scale of the company," he says in an interview with Information Security Media Group.
The Department of Health and Human Services' Office for Civil Rights in November issued video guidance explaining how it would consider the recognized security practices of covered entities and business associates in certain HIPAA enforcement decisions, as called for under an amendment that Congress made to the HITECH Act in January 2021 (see: How 'Recognized Security Practices' Fit With HIPAA Enforcement Actions).
Among the recognized security practices HHS OCR says it will consider are those pertaining to the National Institute of Standards and Technology's Cybersecurity Framework, practices of section 405(d) of the Cybersecurity Act of 2015, and "other."
"It's more than just policy and procedures and an audit program that annually or biannually checks the system. It's having a good validation or reporting system, and I think that should be built into the culture for that organization," Booker says.
HITRUST, formerly called the Health Information Trust Alliance, is best known for its Common Security Framework for health and financial information.
In the interview (see audio link below photo), Booker also discusses:
- How HITRUST's CSF aligns with the recognized security practices, including the NIST Cybersecurity Framework, being considered by HHS OCR in its HIPAA enforcement determinations;
- Cybersecurity challenges faced by smaller healthcare entities;
- Evolving cyberthreats and top security concerns for healthcare in 2023.
Booker recently retired after spending 13 years as CISO of a large health insurer. Previously, he served at a multinational telecommunications company leading and supporting information security programs and initiatives for numerous global enterprises in the pharmaceutical and consumer products sectors.