OCR Director Urges HIPAA-Regulated Entities to Fortify Their Cybersecurity Posture

In the latest blog post, Director Lisa J. Pino of the HHS’ Office for Civil Rights told HIPAA-regulated entities to do something to fortify their cybersecurity posture in 2022 bearing in mind the rise in cyberattacks targeting the healthcare field.

2021 was a notably awful year for healthcare companies. The volume of healthcare data breach reports hit high levels. 714 healthcare data breaches with 500 or higher records were documented by the HHS’ Office for Civil Rights in 2021 and over 45 million records were compromised.

The majority of breach reports had been hacking and other IT problems that concluded in the compromise or stealing of the healthcare records of above 43 million people. In 2021, hackers exploited healthcare providers addressing the COVID-19 pandemic and performed numerous attacks that had an immediate effect on patient care and led to canceled operations, medical tests, and other services because of IT systems being taken off the internet and system access being deactivated.

Pino likewise mentioned the critical vulnerability discovered in the Log4J logging utility, which was designed into a lot of healthcare programs. The vulnerability was found in December 2021 and cybercriminals and other threat groups were fast to manipulate it to acquire access to servers and systems for a variety of malicious applications.

The vulnerabilities and data breaches present how crucial it is for healthcare companies to be wary of dangers and take immediate action as soon as new risks to the integrity, availability, and confidentiality of protected health information (PHI) are discovered.

Pino stated OCR investigations and reviews have found numerous occasions of non-compliance with the risk evaluation and risk management conditions of the HIPAA Rules. Commonly, risk evaluations only include the electronic health record. It is essential to perform an organization-wide risk assessment. Risk management methods must be complete in scope – including all electronic protected health information (ePHI) that is available all through the firm – from applications, to linked devices, legacy systems, and somewhere else through your network.

OCR’s audits of data breaches in 2020 confirmed various areas where HIPAA-regulated entities have to take action to improve compliance with the criteria of the HIPAA Security Rule, specifically in these facets:

  • Information system activity analysis
  • Risk analysis
  • Risk management
  • Audit settings
  • Authentication
  • Security awareness and training

Pino had a few suggestions, such as examining risk management guidelines and procedures, making certain information are often backed up (and assessing backups to make certain data recovery is achievable), doing frequent vulnerability scanning, patching and updating software programs and operating systems immediately, training the personnel how to recognize phishing scams and other prevalent attacks, and doing good cyber hygiene.

CISA and the Office for Civil Rights have provided information to help secure against popular threats to ePHI.