Health Information Compliance Alert

HIPAA:

OCR Recommends Focus on Cybersecurity in 2022

Published on Mon Mar 07, 2022

PDF

After 2021 cyberattack spikes, feds urge CEs to better mitigate threats.

Even before the pandemic began, cybersecurity was a thorny subject for the healthcare industry. But, the feds suggest that last year was a particularly challenging year for HIPAA covered entities (CEs) and their business associates (BAs) — and healthcare as a whole needs a reset.

Background: Both big and small providers have suffered at the hands of hackers over the past few years, and it’s taken both a professional and financial toll on many CEs and BAs. However, 2021 saw a huge increase in data security incidents in healthcare, with millions of individuals’ protected health information (PHI) hijacked. “For healthcare, this year was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the COVID-19 pandemic,” said Lisa J. Pino, HHS Office for Civil Rights (OCR) director, in a blog post. “More than one health care provider was forced to cancel surgeries, radiology exams, and other services, because their systems, software, and/or networks had been disabled,” she lamented.

Statistics: According to the OCR breach portal, 2021 was a banner year for HIPAA breaches. There were 714 incidents reported to OCR with 500 or more individuals’ PHI exposed. In fact, more than 45.7 million individuals were impacted last year, the breach tool shows. Hacking and IT incidents dominated the landscape with the majority of the PHI outages attributed to issues related to network servers, email, desktop computers, and mobile devices.

In December, experts warned healthcare organizations about vulnerability issues related to patching fails for the Java-based software Apache Log4j, which is often used in applications on medical devices. Pino pointed to these “security flaws” as well as other systemic problems to “underscore why it is so important for healthcare to be vigilant in their approach to cybersecurity.” She urged CEs and BAs to bolster their “cyber posture in 2022.”

Heed This Expert Advice

In an investigative report of 2020 breaches — the most recent year that the feds have compiled data available to study — OCR offered a window into some of the top problems they feel that CEs and BAs should be homing in on, specifically risk analysis and management.

Reminder: Prioritizing the safety of electronic PHI (ePHI) is the central theme of the HIPAA Security Rule, but OCR finds that many CEs don’t go beyond a cursory risk analysis of their EHR systems, Pino indicated. An enterprise-wide risk analysis that offers comprehensive protections and includes the organization’s scale and scope are what the agency expects.

“The HIPAA Security Rule requires that organizations implement ‘reasonable and appropriate’ security controls based on their assessment of risk,” explains Adam Kehler, director of RSP Healthcare Services at Online Business Systems. Additionally, “the sheer volume of data and number of systems in healthcare are increasing, thereby increasing the attack surface,” he warns.

The investigations show that healthcare organizations fall short on the HIPAA Security Rule, and that’s why this sector is vulnerable to attack and violations crop up more often than in other industries. “These reports highlight the continued need for regulated entities to improve compliance with the HIPAA Security Rule standards, in particular the implementation specifications of risk analysis and risk management, information system activity review, audit controls, security awareness and training, and authentication,” Pino advised.

Consider these OCR-inspired recommendations to jumpstart your 2022 HIPAA Security Rule compliance:

Ensure you are up to date on patches and legacy system changes.
Back up your data and store encrypted copies offline.
Educate your staff on both the HIPAA regulations and common cybersecurity concerns like phishing and ransomware.
Monitor your systems and keep a log of any unusual cyber activity.
Conduct “regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface.”

Resource: Find the blog post with links to other cyber hygiene hot topics as well as the 2020 breach reports at www.hhs.gov/blog/2022/02/28/improving-cybersecurity-posture-healthcare-2022.html.

Health Information Compliance Alert

HIPAA:
OCR Recommends Focus on Cybersecurity in 2022
After 2021 cyberattack spikes, feds urge CEs to better mitigate threats. Even before the pandemic [...]

Toolkit:
Enhance Cybersecurity Skills With These Federal Tools
Tip: Start small as you ramp up your implementation of new policies. If you’re trying [...]

Health Information Exchange:
ONC Follows Through on Cures Act Provisions With TEFCA
Latest policies aim to streamline data sharing with better HIEs. The pandemic shined a spotlight [...]

Sequoia Project Publishes Free PHE Guide
Emergency preparedness continues to be a hot topic in the health IT industry, particularly as [...]

Reader Question:
Boost Security With This Wi-Fi Insight
Question: Our hospital’s IT department has built a Wi-Fi network that has the bandwidth to [...]

Industry Notes:
Feds Provide Tips on HIPAA-Compliant Transactions
Figuring out the nuances of the HIPAA Simplification rules and how they apply to your [...]

Industry Notes:
OCR Updates Guidance on the Intersection of Gender, Civil Rights, and Privacy
The HHS Office for Civil Rights (OCR) issued a brief on transgender and gender nonconforming [...]

Industry Notes:
FDA Gets New Commissioner
What’s old is new again — or at least that’s the case in the U.S. [...]

Industry Notes:
Bipartisan Efforts Continue to Extend Telehealth Coverage
During the pandemic, the Medicare telehealth expansion allowed many providers to keep their doors open [...]

View All