Because the Director of the Workplace for Civil Rights on the U.S. Division of Well being and Human Companies (OCR), prioritizing cyber safety and affected person privateness is of the utmost concern. From my years in authorities service, I perceive cyberattacks all too properly from my position on the U.S. Division of Homeland Safety the place I drove the company’s response to the 2015 U.S. cyber breach mitigation of 4 million federal personnel and 22 million surrogate profiles, which on the time was the most important hack in federal historical past. Now because the OCR Director, I’m persevering with this necessary work main HHS’s enforcement of the Well being Insurance coverage Portability and Accountability Act (HIPAA) Privateness, Safety, and Breach Notification Guidelines.
Cyberattacks grabbed headlines all through 2021 as hacking and IT incidents affected authorities companies, main corporations, and even provide chains for important items, like gasoline. For healthcare, this yr was much more turbulent as cybercriminals took benefit of hospitals and healthcare techniques responding to the Covid-19 pandemic. Multiple well being care supplier was compelled to cancel surgical procedures, radiology exams, and different companies, as a result of their techniques, software program, and/or networks had been disabled. And on the finish of December, a crucial vulnerability in a extensively used Java-based software program often known as “Log4j” grabbed headlines with warnings concerning the potential dangers this safety flaw may pose for organizations of all sizes. Such unpatched vulnerabilities give hackers easy accessibility to a company’s laptop server, and potential entry into different elements of a community. These experiences underscore why it’s so necessary for well being care to be vigilant of their method to cybersecurity. With these dangers in thoughts, I wish to name on coated entities and enterprise associates to strengthen your group’s cyber posture in 2022.
All too typically, we see that danger analyses solely cowl the digital well being report. I can’t underscore sufficient the significance of enterprise-wide danger evaluation. Threat administration methods have to be complete in scope. It is best to totally perceive the place all digital protected well being data (ePHI) exists throughout your group – from software program, to related gadgets, legacy techniques, and elsewhere throughout your community.
Should you haven’t checked out your danger administration insurance policies and procedures not too long ago to stop or mitigate these issues, now’s the time to take action. Some finest practices embody:
- Sustaining offline, encrypted backups of knowledge and frequently take a look at your backups;
- Conducting common scans to determine and tackle vulnerabilities, particularly these on internet-facing gadgets, to restrict the assault floor;
- Common patches and updates of software program and Working Techniques; and
- Coaching your staff concerning phishing and different widespread IT assaults.
Good cyber hygiene habits assist maintain your community wholesome and defend the ePHI in your techniques. OCR is right here to assist with steerage and assets:
As a part of the whole-of- authorities response to assist private and non-private organizations defend in opposition to the rise in ransomware circumstances, the Cybersecurity and Infrastructure Safety Company (CISA) launched StopRansomware.gov with assets designed to assist organizations perceive the specter of ransomware, mitigate danger, and within the occasion of an assault, know what steps to take subsequent.
Lastly, our workplace has issued the 2020 Annual Report back to Congress on HIPAA Privateness, Safety, and Breach Notification Rule Compliance, and 2020 Annual Report back to Congress on Breaches of Unsecured Protected Well being Info. These experiences spotlight the continued want for regulated entities to enhance compliance with the HIPAA Safety Rule requirements, specifically the implementation specs of danger evaluation and danger administration, data system exercise evaluation, audit controls, safety consciousness and coaching, and authentication. All of those compliance issues had been recognized as areas needing enchancment in 2020 OCR breach investigations.
We owe it to our sufferers, and trade, to enhance our cybersecurity posture in 2022 in order that well being data is personal and safe.
Lisa J. Pino, Director, Workplace for Civil Rights, U.S. Division of Well being and Human Companies