Meet the HIPAA Safe Harbor Law Cybersecurity Requirements – and Gain Business Value

February 8, 2021  Jeff B. Copeland

The new HIPAA Safe Harbor Law directs the Department of Health and Human Services to incentivize best practices for cybersecurity. With quantitative cyber risk analysis, HIPAA-covered organizations can turn compliance with the new law into an opportunity to improve strategic planning & prioritization of your security initiatives, reducing your cyber risk while optimizing spending. To explain:

Under HIPAA Safe Harbor, HHS must take into consideration, when determining fines or the extent of an audit for a cyber incident, whether regulated organizations followed “recognized security practices” for cyber in the preceding 12 months. HHS has yet to promulgate regulations, but the legislation cites as recognized practices the standards and frameworks developed for the NIST Act (namely, the NIST CSF) and the Cybersecurity Act of 2015 (namely, the HHS publication Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.

The NIST Act and HHS guidelines are both highly useful lists of best practices for cybersecurity and have been widely used as a sort of checklist for organizations to gauge the maturity of their security operations.

But there’s a growing recognition in healthcare and other industries that, as the threat landscape has worsened, their security teams need a way to prioritize among best practices to focus limited budget and resources on their highest risks.

Forward-looking healthcare payers and providers are turning to Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification and the operating basis of the RiskLens platform.

Get started with FAIR and cyber risk quantification - talk to a RiskLens expert.

With quantitative cyber risk management through RiskLens, organizations can identify and prioritize their risks by loss exposure in financial terms, then analyze the effect on risk reduction of applying security controls and processes, and prioritize among security solutions with true cost/benefit analysis.

Excerpt from RiskLens Top Risks Report:



The FAIR standard for cyber risk quantification is recognized by NIST and has been adopted across leading healthcare payers and providers

The NIST CSF cites FAIR as a best practice for risk assessment and risk management and the recent NIST publication Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286) also recommends FAIR by name as a risk analysis methodology and recommends the specific capabilities that are automated by the RiskLens platform: risk prioritization, risk scenario modeling, Monte Carlo simulations, and, of course, quantification of cyber risk.

FAIR is also compatible with the HITRUST CSF, the cybersecurity controls framework widely in use in the healthcare industry – in fact, the FAIR Institute and HITRUST are working out the details of a formal integration.

Learn more about FAIR-HITRUST CSF integration on the FAIR Institute website, including how Highmark Health puts integration into practice. “Now we can prioritize our resources to best address our risk,” a Highmark executive commented.

Example Integration of FAIR and HITRUST from Highmark



In fact, RiskLens clients in healthcare already use risk quantification to gain maximum business value from HIPAA compliance. Read this Case Study: RiskLens and FAIR Satisfy HIPAA Risk Analysis Requirements to see step by step how a client applied solid FAIR analysis to the often vague requirements of HIPAA to conduct and document risk analyses, determine likelihood and impact of threat occurrence, determine a level of current risk and assess security measures.

Benefits of FAIR go beyond compliance

A FAIR program extends the power of risk quantification beyond compliance activities and into tactical and strategic decision support. As Highmark CISO Omar Khawaja said in an interview for the FAIR Institute, he’s growing a “risk-based culture rather than a [security technologies] installation-focused culture” by spreading FAIR methods. At Highmark, managers must run every proposed security initiative through a cost-benefit analysis with FAIR.

Find out how FAIR and the RiskLens platform can benefit your healthcare organization - talk to an expert.