OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

Share this article on:

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry.

2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached.

The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled.

Pino also drew attention to the critical vulnerability identified in the Java-based logging utility Log4J, which has been incorporated into many healthcare applications. The vulnerability was discovered in December 2021 and cybercriminals and other threat groups were quick to exploit it to gain access to servers and networks for a range of malicious purposes.

The vulnerabilities and data breaches show how important it is for healthcare organizations to be vigilant to threats and take prompt action when new risks to the confidentiality, integrity, and availability of protected health information are identified. “With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022,” said Pino.

Pino said OCR investigations and audits have uncovered many cases of noncompliance with the risk analysis and risk management requirements of the HIPAA Rules. “All too often, we see that risk analyses only cover the electronic health record.  I cannot underscore enough the importance of enterprise-wide risk analysis.  Risk management strategies need to be comprehensive in scope,” explained Pino. “You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”

OCR’s investigations of data breaches in 2020 showed multiple areas where HIPAA-regulated entities need to take steps to improve compliance with the standards of the HIPAA Security Rule, especially in the following areas:

  • Risk analysis
  • Risk management
  • Information system activity review
  • Audit controls
  • Security awareness and training
  • Authentication

Pino made several recommendations, including reviewing risk management policies and procedures, ensuring data are regularly backed up (and testing backups to ensure data recovery is possible), conducting regular vulnerability scans, patching and updating software and operating systems promptly, training the workforce how to recognize phishing scams and other common attacks, and practicing good cyber hygiene.

“We owe it to our patients, and industry, to improve our cybersecurity posture in 2022 so that health information is private and secure”, concluded Pino, who also drew attention to resources that have been made available by CISA and the Office for Civil Rights to help protect against common threats to ePHI.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On