OCR’s recent focus on cybersecurity in the health care industry sends a clear message to HIPAA-covered entities and business partners: OCR expects you to implement security measures that address known threats to ePHI evidenced by the sharp increase in cyber hacking incidents. To that end, recent guidance published by OCR provides key information on specific security measures that OCR may deem reasonable and appropriate to address known and evolving threats to ePHI.
This post summarizes that guidance and outlines some key practical points.
Recent OCR Guide to Cybersecurity
Following the revelation of the “log4j” vulnerabilityOCR Director Lisa Pino posted a blog post in late February he challenged HIPAA-covered entities and business partners to “strengthen your organization’s cyber posture in 2022.” Pino pointed out some of the best practices for HIPAA-covered entities and business associates, including:
- backup encryption,
- frequent vulnerability scanning,
- regular software and operating system patches, and
- train employees on phishing and other common IT attacks.
He also pointed out several areas of compliance with the HIPAA security rule “needs improvement” in the health care sector according to OCR’s 2020 noncompliance investigations. Those areas for improvement included risk analysis, risk management, information system activity review, audit controls, security awareness and training, and authentication.
Shortly after the publication of Director Pino, on March 17 OCR published its quarterly report Cybersecurity Bulletin, focusing on “Defending Against Common Cyber Attacks”. The bulletin elaborates on some of the director’s guidance, stating that “most cyberattacks could be prevented or substantially mitigated if HIPAA-covered entities and business associates implemented the requirements of the HIPAA Security Rule to address the types of most common attacks. The bulletin reports on how covered entities and business partners can address some of those requirements and expands on ways organizations can address evolving threats to ePHI security.
In support of its message to covered entities and business partners about the need to respond to the evolving threat landscape, the bulletin notes a sharp increase in the number of breaches reported to OCR that were caused by hacking or IT incidents (a increased 45% from 2019 to 2020), noting that the number of breaches due to hacking or IT incidents accounted for 66% of all breaches involving 500 or more people reported to OCR in 2020.
Key Points from Recent OCR Guidance
Director Pino’s publication and newsletter contain key information for HIPAA-covered entities and business partners on security measures that OCR may deem reasonable and appropriate in this new era of heightened cyberthreats. To that end, we offer the following key practical points:
- HIPAA “check the box” workforce training may be inadequate.
The Bulletin points out that technical solutions alone will not always prevent the threat of a cyber attack. Instead, OCR explains that covered entities and business partners must combine technical security measures with a “committed and educated workforce.” While workforce training has always been a requirement of the HIPAA security rule, the bulletin expands on that requirement and suggests that workforce training should be “ongoing,” “evolving,” and “flexible enough to educate members of the workforce on current and new cybersecurity threats.” ” In particular, the Bulletin indicates that HIPAA security training can be ineffective if “workforce members view it as a burden, a ‘tick the box’ exercise consisting of little more than slideshows to their own rhythm.” The Bulletin states that organizations should instead focus on developing innovative ways to keep members of the workforce involved in understanding the role they play in protecting the organization’s ePHI.
In other words, if your workforce members have been watching the same videos and completing the same HIPAA training modules for years, consider upgrading your HIPAA training. Or ask if you could supplement your existing training modules with interactive programs or regular safety reminders that meet the expectations set forth in the bulletin.
- Remote working conditions require special attention to access controls.
Poor user authentication measures are another area of focus in the Bulletin. The OCR notes that “weak password rules and single-factor authentication are among the practices that can contribute to successful attacks,” and stresses that the strength of an organization’s authentication controls should be evaluated in light of of changing working conditions. If, for example, users access systems containing ePHI remotely, the organization should consider implementing stronger user authentication solutions than previously implemented when workers accessed ePHI only when they were on the organization’s premises.
Organizations that have expanded the ability of their workforce members to access ePHI from remote locations or personal devices should consider implementing stronger authentication solutions, such as multi-factor authentication.
- There is no excuse for not addressing known vulnerabilities.
The Bulletin emphasizes that exploitation of known vulnerabilities is a common method used by hackers to penetrate the networks of covered entities and business partners and gain access to ePHI. OCR lists several resources that these organizations can use to identify and stay up to date on known vulnerabilities, such as subscribing to alerts from the HHS Health Sector Cybersecurity Coordination Center, participating in an information sharing organization, implementing vulnerability scanning programs, and periodically conducting penetration tests to identify security weaknesses. Once vulnerabilities are identified, appropriate measures should be implemented to mitigate those vulnerabilities (eg, apply patches, harden systems, retire legacy equipment).
From a practical perspective, addressing “known vulnerabilities” should be an easy task because those vulnerabilities are, by definition, known or can be known with reasonable diligence. Therefore, covered entities and business associates should have a process in place to frequently assess whether any of their systems used to maintain or access ePHI include vulnerabilities that leave that data open to potential attack.
- A comprehensive enterprise-wide risk analysis is the cornerstone of a HIPAA-compliant security program.
This might fall into the “old news” category for some, but the number of times OCR has recently emphasized the importance of conducting a comprehensive risk analysis across the enterprise warrants a call.
In its blog postDirector Pino put it bluntly: “I cannot stress enough the importance of an enterprise-wide risk analysis.” Additionally, throughout its discussion of the various threats to an organization’s cybersecurity posture, the Bulletin reminds covered entities and business partners that their risk analysis should guide the implementation of appropriate security controls. Failing to conduct a risk analysis on a regular basis, or conducting a risk analysis that does not address all of the ePHI that exists in the organization, can leave your organization blind to the real threats to ePHI and unable to carry out the kind of security strategies comprehensive risk management with a vision of the future. what OCR expects.
If your organization is covered by HIPAA and you haven’t done a risk analysis in a while (if ever), or if the risk analyzes you’ve done have been too focused (for example, focusing only on one system that maintains ePHI, such as your EHR), now is the time to conduct a comprehensive risk analysis across the enterprise.
* * * *
As OCR notes in the Bulletin, malicious attacks targeting the healthcare sector are likely to continue to rise. While security attacks may not be completely preventable, there are many steps covered entities and business partners can and should take to mitigate evolving threats to ePHI. Ignoring those threats can leave your organization vulnerable not only to data breaches, but also to OCR investigations and enforcement actions.