You are now free to keep your providers’ secure. What’s next?

On December 2, 2020, the healthcare industry received some very exciting news as the Department of Health and Human Services (HHS) Office of Inspector General (OIG) published the Stark Law regulation’s final rule that “amends the safe harbors to the federal anti-kickback statute by adding new safe harbors and modifying existing safe harbors that protect certain payment practices and business arrangements from sanctions under the anti-kickback statute.” 

One of the most significant changes relates to Cybersecurity Technology and Related Services 42 CFR 1001.952(jj). The new rule will allow healthcare institutions to donate access to cybersecurity technology and services to their affiliated providers—a major win for the industry and for the many health system cybersecurity executives who have driven this very important change. As healthcare organizations continue to be the most exposed industry to cyber attacks in 2020, this announcement couldn’t have come at a better time.

The amended rule takes effect on January 19, 2021, and many healthcare organizations will have to determine how the changes may affect them.  Some key business questions they may want to address include:  

• Will we be able to fund any cybersecurity technology or services donated to our affiliated network in 2021 or in subsequent years?  If so, how much?
• How will we determine which affiliated entities qualify for support?
• Will we require any contributions (such as a percentage of costs or a fixed fee) from the recipient or will we fully fund the donation?
• How will we administer support while limiting our liability?
• Will we provide cyber technologies and services directly, or will we contract with a third party? If we choose a third-party, how will we identify the right companies that are best suited for small and mid-size practices?

The healthcare industry still has a long way to go to reduce the onslaught of cyberattacks that threaten the healthcare market.  But allowing larger healthcare organizations to leverage their knowledge, experience, and resources will kick-start much-needed improvements in the protection of patient information and healthcare operations.  Thank you, OIG! 

Cyvatar is a company dedicated to fixing cybersecurity.  It’s subscription-based cybersecurity-as-a-service (CSaaS) offering combines trusted security advisors and proven solutions that provide assessment, implementation, continuous monitoring, maintenance, AND remediation…all within a fixed-price plan.  Learn more here.