OCR Director Tells HIPAA-Regulated Entities to Reinforce Their Cybersecurity Posture

In a new blog post, Director Lisa J. Pino of the HHS’ Office for Civil Rights urged HIPAA-regulated entities to do something to reinforce their cybersecurity posture in 2022 considering the upsurge in cyberattacks on the healthcare sector.

2021 was a specifically bad year for healthcare providers. The number of healthcare data breach reports reached record levels. 714 healthcare data breaches involving 500 and up records were noted by the HHS’ Office for Civil Rights in 2021 and over 45 million records were exposed.

Most of the breach reports involved hacking and other IT cases that led to the exposure or theft of the healthcare information of above 43 million persons. In 2021, hackers targeted healthcare companies handling the COVID-19 pandemic and carried out a number of attacks that had a strong impact on patient care and prompted canceled surgical procedures, medical assessments, and other services due to IT systems being taken down and network access being deactivated.

Pino additionally noted the critical vulnerability discovered in the logging utility Log4J, which was integrated into a lot of healthcare apps. The vulnerability was identified in December 2021 and cyber attackers and other threat groups were swift to take advantage of it to obtain access to servers and networks for a selection of malicious uses.

The vulnerabilities and data breaches demonstrate how essential it is for healthcare providers to be cautious of risks and take quick action whenever new risks to the integrity, confidentiality, and availability of protected health information (PHI) are determined.

Pino explained OCR investigations and audits have found numerous instances of noncompliance with the risk analysis and risk management demands of the HIPAA Rules. Oftentimes, risk assessments only cover the electronic health record. It is important to do an enterprise-wide risk analysis. Risk management tactics must be extensive in scope – including all electronic protected health information (ePHI) that exists throughout the company – from the software program to connected devices, legacy systems, and other places throughout your network.

OCR’s investigations of data breaches in 2020 revealed several areas where HIPAA-regulated entities have to take action to enhance compliance with the requirements of the HIPAA Security Rule, particularly in the following aspects:

  • Risk analysis
  • Risk management
  • Audit controls
  • Information system activity assessment
  • Security awareness and training

Pino had a number of recommendations, which include reviewing risk management policies and procedures, making sure data are routinely backed up (and examining backups to make sure data recovery is doable), performing routine vulnerability scans, patching and updating applications and operating systems right away, training the employees how to identify phishing scams and other typical attacks, and exercising good cyber hygiene.

CISA and the Office for Civil Rights have made available resources to help safeguard against prevalent threats to ePHI.