Medicare Compliance & Reimbursement

Context: Big and small providers have suffered at the hands of hackers over the past few years, both professionally and fiscally. However, 2021 was a year like no other, and data security incidents spiked across the industry. “This year was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the COVID-19 pandemic,” said Lisa J. Pino, HHS Office for Civil Rights (OCR) director, in a blog post. “More than one health care provider was forced to cancel surgeries, radiology exams, and other services, because their systems, software, and/or networks had been disabled,” she lamented.

Plus: According to the OCR breach portal, HIPAA breaches skyrocketed in 2021. There were 714 incidents reported to OCR with 500 or more individuals’ PHI exposed. In fact, more than 45.7 million individuals were impacted last year, the breach tool shows. Hacking and IT incidents dominated the landscape with the majority of the PHI outages attributed to issues related to network servers, email, desktop computers, and mobile devices.

In December, experts warned healthcare organizations about vulnerability issues related to patching fails for the Java-based software Apache Log4j, which is often used in applications on medical devices. Pino pointed to these “security flaws” as well as other systemic problems to “underscore why it is so important for healthcare to be vigilant in their approach to cybersecurity.” She urged healthcare organizations to bolster their “cyber posture in 2022.”

Bolster Cyber Health With These HHS Resources

To assist CEs and their business associates with cybersecurity issues, the Department of Health and Human Services (HHS) set up a website for its 405(d) Aligning Health Care Industry Security Approaches Program. The online tools are a collaboration between industry experts and the feds, aka the HHS 405(d) Task Group, and aims to align healthcare organizations’ compliance with regulations to better fight cyber threats en masse, an HHS release suggests.

“This website is the first of its kind,” says Erik Decker, 405(d) Task Group Industry co-lead, in the HHS release. “It’s a unique space where the healthcare industry can access vetted cybersecurity practices specific to the [healthcare and public health] HPH sector on a federal government website.”

He adds, “I think it’s a great resource for the HPH sector to turn to and will surely be a go-to site for organizations that want to better protect their patients and facilities from the latest cybersecurity threats.”

Understand the Nuts and Bolts of the 405(d) Website

Among HIPAA’s Security Rule provisions, the option to design your organization’s compliance program can be simultaneously liberating and daunting. The 405(d) guidance touches on this perennially challenging task.

“The great thing about 405(d) is that it offers 10 best practices to improve security, and it breaks them down into recommendations based on organizational size,” says Jen Stone, MCIS, CISSP, CISA, QSA, principal security analyst, with Security Metrics in Orem, Utah. “This means that even small practices with limited funding can get started with reasonable security controls.”

With the 405(d) resources, practices can access tools to help with common issues that sometimes lead to data breach problems later on. “For example, implementing unique account IDs will allow a small organization to prevent terminated employees from accessing protected information after they leave. This type of account management is an area where we have seen significant breaches occur, but it’s preventable using tools that are already paid for or have free versions,” Stone explains.

Smaller providers don’t always have the financial means nor the staff to dedicate toward cybersecurity and risk management; however, the 405(d) identifies the most common threats to these organizations and offers role-specific tips.

“Healthcare professionals, especially in smaller practices, often struggle because they take on many roles,” Stone points out. “Cybersecurity best practices aren’t complex, but not everyone knows where to find a quick summary of threats or the solutions to counter them. Fortunately, 405(d) offers both.”

She adds, “A few of the most effective practices include multi-factor authentication, anti-malware, and timely patching.”

Important: With more staff working from home, new challenges have popped up with access and security controls. Another area of critical importance is cybersecurity education — employees must understand the risks associated with remote work and how to recognize problems.

“Remote staff are becoming well versed in the technologies that keep us together while apart,” Stone says. “The real trick is to make training meaningful so people will pay attention and retain it. Make sure the training you choose is focused on the type of work each staff member does so it will help them counter privacy and security challenges they will actually face.”

Resources: Find the 405(d) website at https://405d.hhs.gov/public/navigation/home.