Because the Director of the Workplace for Civil Rights on the U.S. Division of Well being and Human Companies (OCR), prioritizing cyber safety and affected person privateness is of the utmost concern. From my years in authorities service, I perceive cyberattacks all too nicely from my function on the U.S. Division of Homeland Safety the place I drove the company’s response to the 2015 U.S. cyber breach mitigation of 4 million federal personnel and 22 million surrogate profiles, which on the time was the biggest hack in federal historical past. Now because the OCR Director, I’m persevering with this vital work main HHS’s enforcement of the Well being Insurance coverage Portability and Accountability Act (HIPAA) Privateness, Safety, and Breach Notification Guidelines.
Cyberattacks grabbed headlines all through 2021 as hacking and IT incidents affected authorities businesses, main corporations, and even provide chains for important items, like gasoline. For healthcare, this yr was much more turbulent as cybercriminals took benefit of hospitals and healthcare methods responding to the Covid-19 pandemic. Multiple well being care supplier was pressured to cancel surgical procedures, radiology exams, and different companies, as a result of their methods, software program, and/or networks had been disabled. And on the finish of December, a essential vulnerability in a extensively used Java-based software program generally known as “Log4j” grabbed headlines with warnings concerning the potential dangers this safety flaw might pose for organizations of all sizes. Such unpatched vulnerabilities give hackers easy accessibility to a company’s pc server, and potential entry into different elements of a community. These studies underscore why it’s so vital for well being care to be vigilant of their strategy to cybersecurity. With these dangers in thoughts, I wish to name on coated entities and enterprise associates to strengthen your group’s cyber posture in 2022.
All too usually, we see that danger analyses solely cowl the digital well being report. I can’t underscore sufficient the significance of enterprise-wide danger evaluation. Danger administration methods must be complete in scope. You must totally perceive the place all digital protected well being data (ePHI) exists throughout your group – from software program, to linked gadgets, legacy methods, and elsewhere throughout your community.
When you haven’t checked out your danger administration insurance policies and procedures just lately to stop or mitigate these considerations, now’s the time to take action. Some greatest practices embody:
- Sustaining offline, encrypted backups of information and commonly take a look at your backups;
- Conducting common scans to determine and deal with vulnerabilities, particularly these on internet-facing gadgets, to restrict the assault floor;
- Common patches and updates of software program and Working Methods; and
- Coaching your workers concerning phishing and different widespread IT assaults.
Good cyber hygiene habits assist preserve your community wholesome and defend the ePHI in your methods. OCR is right here to assist with steerage and sources:
As a part of the whole-of- authorities response to assist private and non-private organizations defend in opposition to the rise in ransomware instances, the Cybersecurity and Infrastructure Safety Company (CISA) launched StopRansomware.gov with sources designed to assist organizations perceive the specter of ransomware, mitigate danger, and within the occasion of an assault, know what steps to take subsequent.
Lastly, our workplace has issued the 2020 Annual Report back to Congress on HIPAA Privateness, Safety, and Breach Notification Rule Compliance, and 2020 Annual Report back to Congress on Breaches of Unsecured Protected Well being Data. These studies spotlight the continued want for regulated entities to enhance compliance with the HIPAA Safety Rule requirements, particularly the implementation specs of danger evaluation and danger administration, data system exercise evaluate, audit controls, safety consciousness and coaching, and authentication. All of those compliance considerations have been recognized as areas needing enchancment in 2020 OCR breach investigations.
We owe it to our sufferers, and trade, to enhance our cybersecurity posture in 2022 in order that well being data is personal and safe.
Lisa J. Pino, Director, Workplace for Civil Rights, U.S. Division of Well being and Human Companies