OCR: HIPAA Security Rule Compliance May Stop and Mitigate Many Cyberattacks

Healthcare hacking incidents are considerably increasing for several years. Hacking/IT incidents went up by 45% from 2019 to 2020. In 2021, 66% of breaches relating to unsecured electronic protected health information (ePHI) were caused by hacking as well as other IT incidents. A big percentage of those data breaches may have been avoided if HIPAA-regulated entities were totally compliant with the HIPAA Security Rule.

The Department of Health and Human Services’ Office for Civil Rights mentioned in its March 2022 cybersecurity report that adhering to the HIPAA Security Rule will avert or considerably mitigate the majority of cyberattacks. Many cyberattacks on the healthcare sector are money motivated and are performed to steal electronic protected health information or encrypt patient information to avoid legitimate access. The preliminary access to healthcare systems is acquired through proven methods like phishing attacks and the exploitation of identified vulnerabilities and weak authentication methods, instead of exploiting earlier unidentified vulnerabilities.

Avoidance of Phishing

Based on Coveware’s Q2 2021 Quarterly Ransomware Report, about 42% of ransomware attacks during that period saw first network access obtained through phishing emails. Phishing attacks try to fool workers into going to a malicious site and revealing their credentials or accessing a malicious file and setting up malware.

Anti-phishing systems like spam filters and web filters are important technical safety measures to avert phishing attacks. They prevent emails from being sent from recognized malicious domains, check attachments and hyperlinks, and prevent access to recognized malicious sites where malware is downloaded or credentials are collected. These tools are essential technical steps for protecting the integrity, availability, and confidentiality of ePHI.

OCR told HIPAA-regulated entities that the Security Rule necessitates regulated entities to carry out a security awareness and training plan for all workers, such as management of employees and senior managers. A regulated entity’s training program must be a regular, changing process and be versatile enough to teach employees on new and existing cybersecurity risks (e.g., phishing, ransomware) and how to take action.

The Security Rule additionally has an addressable condition to send regular security reminders to the personnel. OCR stated that phishing simulation emails are efficient forms of “security reminders”. These practices measure the usefulness of the training program and permit regulated entities to determine weak links and deal with them. Those weak leaks might be people who have not completely comprehended their training or breaks in the training program.

Sadly, security training can be unsuccessful when it is seen by employees as a troublesome, “check-the-box” exercise composed of only self-paced slide presentations. Covered entities ought to establish innovative ways to make the security training appealing and keep employees involved in knowing their roles in safeguarding ePHI.

Avoidance of Vulnerability Exploitation

A number of cyberattacks take advantage of formerly unidentified vulnerabilities (zero-day attacks) however it is far more prevalent for hackers to take advantage of identified vulnerabilities for which there are patches available or mitigations were made common. Due to the inability to patch and update operating systems immediately, cyber actors could exploit these vulnerabilities.

The continuing use of obsolete, unsupported software programs and operating systems (legacy systems) is widespread in the healthcare market. Outdated, unsupported programs and devices (legacy systems) must be upgraded or swapped. When an outdated, unsupported system could not be updated or changed, extra safety measures ought to be carried out or present safeguards improved to mitigate identified vulnerabilities right until upgrade or change can take place (e.g., boost access limitations, remove or limit network access, deactivate unneeded functions or services”

The HIPAA Security Rule demands regulated entities to use a security management procedure to avoid, identify, control, and correct security violations. A risk analysis should be done and risks and vulnerabilities to ePHI need to be minimized to a reasonable and proper level. The risk analysis and risk management process must determine and handle technical and non-technical vulnerabilities.

To help deal with technical vulnerabilities, OCR advises registering for notifications and reports from OCR, CISA, the HHS Health Sector Cybersecurity Coordination Center (HC3), and contributing to an information sharing and analysis center (ISAC). Vulnerability control ought to include routine vulnerability scans and recurrent penetration tests.

Eliminate Poor Cybersecurity Procedures

Cyber actors frequently take advantage of poor authentication methods, for example, weak passwords and single-factor authentication. According to the 2020 Verizon Data Breach Investigations Report, above 80% of breaches caused by hacking involved breached or brute-forced credentials.

The danger of unauthorized access is greater when people access systems remotely, thus supplemental authentication controls must be enforced, for instance, multi-factor authentication for remote users.

Because privileged accounts give access to a larger variety of systems and information, steps ought to be taken to strengthen the safety of those accounts. “To minimize the danger of unauthorized access to privileged accounts, the covered entity can choose that a privileged access management (PAM) system is good and proper to use. A PAM system is a tool to protect, manage, regulate, and review access to and use of privileged accounts and/or features for a company’s infrastructure. A PAM solution allows companies to control and see how their privileged accounts are utilized inside their environment and therefore could help identify and stop the improper use of privileged accounts.

OCR tells regulated entities that they must regularly look at the strength and efficiency of their cybersecurity procedures and boost or add security controls to lessen risk as appropriate, and furthermore perform regular technical and non-technical assessments of enforced security action in response to environmental or operational modifications impacting the protection of ePHI.