Healthcare Roundup: HIPAA Safe Harbor Bill, HIPAA Penalties Lifted, Takedown of Cyber Threats, and Biden's Cybersecurity Team

February 4, 2021

Every month, we compile the most compelling healthcare privacy and security-related news stories. Below, you’ll learn about the HIPAA Safe Harbor bill becoming law, the OCR lifting HIPAA penalties for COVID-19 vaccine scheduling apps, the takedown of the Netwalker ransomware site and Emotet botnet, and Biden’s cybersecurity team being bolstered with a wave of seasoned experts.

HIPAA Safe Harbor Bill Becomes Law; Requires HHS to Incentivize Security

On January 5, former President Donald Trump officially signed HR 7898 into law.  The HIPAA Safe Harbor bill amends the HITECH act to require the Department of Health and Human Services (HHS) to incentivize best practice cybersecurity for meeting HIPAA requirements.   

Under the legislation, HHS must consider a covered entity’s or business associate’s use of industry-standard security practices over the course of 12 months, when investigating and undertaking HIPAA enforcement actions, or other regulatory purposes.

The bill also requires that HHS take cybersecurity into account when calculating fines related to security incidents.  HHS must decrease the extent and length of an audit, if it’s determined the impacted entity has met industry-standard best practice security requirements.

Additionally, the law expressly states that the HITECH changes do not give HHS the authority to increase fines or the extent of an audit when an entity is found to be out of compliance with the recognized security standards.

The law joins several other industry efforts aimed at strengthening healthcare cybersecurity efforts when healthcare is being targeted by hackers in record numbers.

OCR Lifts HIPAA Penalties for COVID-19 Vaccine Scheduling Apps: 5 Details

The Office for Civil Rights (OCR) will allow providers to use online or web-based apps for scheduling COVID-19 vaccine appointments in good faith without the risk of a HIPAA penalty.

The article offers five details:

  1. On January 19, the OCR announced its enforcement discretion, effective immediately with retroactive date of December 11, 2020.
  2. The enforcement discretion is meant to help speed up the vaccination process for HIPAA-covered entities, which must quickly schedule a mass number of patient visits for COVID-19 vaccines. 
  3. According to the news release, the OCR is lifting penalties associated with online and web-based scheduling apps when "used in good faith and only for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency."
  4. The enforcement action does not include appointment scheduling technology that connects directly to the EHR.
  5. The notification encourages healthcare providers and business associates to continue using safeguards that protect the privacy and security of individuals' protected health information, for example, encryption technology and enabling all privacy settings.

Netwalker Ransomware Site, Emotet Botnet Taken Down in Global Effort

On January 27, Federal agencies took down two of the most prolific cyber threats: the Emotet botnet and the Netwalker ransomware hacking group’s dark web site used for communicating with victims.

The notorious Emotet botnet was taken down through a global collaboration, while the FBI and the Department of Justice seized the Netwalker ransomware hackers' dark web site used for communicating with victims.

These actions mark a significant hit to two massive threats that battered a range of sectors. Netwalker has been a particular nuisance to the healthcare industry.  It’s healthcare victims include the University of California San Francisco, which paid $1.14 million to the attackers for the return of data stolen from its School of Medicine in June 2020.

Biden’s Cybersecurity Team To Be Bolstered with a Wave of Seasoned Experts

President Joe Biden is expected to tap three officials from former President Barack Obama’s administration for key cyber positions.

According to Reuters and CyberScoop, President Biden will likely name Jen Easterly as national cyber director; Robert Silvers to lead the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency; and Eric Goldstein as CISA's Cybersecurity Division head.  All have extensive experience working on cyber issues, showing that the Biden administration is making cybersecurity and the protection of United States infrastructure a top priority.

The new team will tackle the many cybersecurity issues the country faces, including in the healthcare sector.  Over the last year, hackers increasingly have targeted hospitals, health systems and other healthcare organizations in response to the COVID-19 pandemic.  The government continues to respond to the SolarWinds hack and other high-profile threats.