Which Cybersecurity Frameworks Qualify for Safe Harbor?

Which Cybersecurity Frameworks Qualify for Safe Harbor?

The Health Insurance Portability and Accountability Act (HIPAA) enabled the development and implementation of standards for storing and handling protected health information (PHI). All covered entities (CE) that handle patient data, including pharmacies, hospitals, and even employers that provide health insurance plans to their employees, must follow these standards. HIPAA rules also apply to third-party business associates (BA), such as accounting and law firms, that have access to these organizations’ data.

The HIPAA obligates CEs and BAs to safeguard the privacy of patients, imposing grave penalties against non-compliant organizations. But with cyberthreats continuously evolving and the propensity of cybercriminals to target PHI, it can be difficult for both CEs and BAs to avoid incurring these penalties. In 2021, for instance, cyberattacks against health plans and BAs increased by 35% and 18%, respectively, compared to figures from 2020. Hacking-related data breaches against clinics, on the other hand, increased by 41%.

To incentivize healthcare organizations to maximize their cybersecurity initiatives and efforts, the HIPAA Safe Harbor Bill was signed into law on January 5, 2021. It calls on the Department of Health and Human Services (HHS) to consider whether an organization has adequately implemented recognized security practices for at least 12 months. The HHS may reduce the penalties for data breaches if the organization could demonstrate that it had industry-standard security measures in place at the time of the attack.

In its definition of “recognized security practices,” the HIPAA Safe Harbor Act refers to both the United States National Institute of Standards and Technology (NIST) Act and the Cybersecurity Act of 2015 (CSA). It also mentions “other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

Let’s discuss what these are below:

NIST Cybersecurity Framework (CSF)

NIST CSF provides organizations with standards and recommendations that will enable them to improve their ability to prevent, detect, respond to, and recover from cyberattacks. It also includes documents that guide organizations in developing their cybersecurity controls environment.

Most healthcare organizations utilize a security framework based on NIST 800-53, which provides both security and privacy controls for all federal information systems. There are 18 control families under NIST 800-53, each of which is classified as either high, medium, or low priority. These controls, however, do not include those related to national security. 


Section 405(d) of the CSA led the HHS to organize the CSA 405(d) Task Group, which developed guidelines and recommendations to help healthcare organizations cost-effectively improve their cybersecurity. The Task Group published its recommendations in the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, which consist of the following:

  • The HICP main volume, which outlines the cybersecurity risks threatening the healthcare sector, as well as the practices that can address those risks
  • Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations, which discusses practices to overcome threats for small healthcare organizations
  • Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations, which outlines practices to address risks for medium to large healthcare organizations

The Task Group identified five cyber threats endangering healthcare organizations:

  1. Phishing
  2. Ransomware
  3. Equipment loss or theft
  4. Intentional or accidental internal data loss
  5. Attacks against connected medical devices

It then presented the following 10 measures to address the aforementioned threats:

  1. Cybersecurity policies
  2. Access management
  3. Incident response
  4. Data protection and data loss prevention
  5. Network management
  6. Asset management
  7. Endpoint protection
  8. Vulnerability management
  9. Email protection
  10. Medical device security

Other Programs

The HIPAA Safe Harbor Law refers to “other programs and processes” as bases for what constitutes “recognized security practices.” According to the Healthcare Information and Management Systems Society (HIMSS), besides NIST and CSA, these are the most common cybersecurity frameworks used by healthcare organizations:

ISO 27001

This international standard requires organizations to identify the risks they face and develop the processes and policies necessary for addressing those risks. In particular, it certifies that organizations have implemented the measures necessary to secure information and similar assets entrusted to them by third parties.

Center for Internet Security Critical Security Controls (CIS CSC)

The CIS CSC is composed of 18 controls that guide organizations in preventing cyber incidents. However, firms must not use these controls as a complete and independent cybersecurity framework but rather alongside other frameworks such as the NIST CSF.

HITRUST Common Security Framework (CSF)

Incorporating standards from other frameworks like HIPAA, ISO, NIST, and even the General Data Protection Regulation, HITRUST CSF is among the most comprehensive cybersecurity frameworks today. It provides controls based on the risks an organization faces, making compliance quite challenging as well. To illustrate, organizations can have anywhere between 250 and 800 controls. 

The HIPAA Safe Harbor Law is a great way to encourage healthcare organizations and their associates to invest in technologies and measures that can protect patient information. If you are unsure where to start, our HIPAA compliance experts at Charles IT will be glad to assist you. Contact us today and get started with qualifying for safe harbor protection!

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”