OCR’s recent focus on cybersecurity in the health care sector sends a clear message to HIPAA covered entities and business associates: OCR expects you to implement security measures that address known threats to ePHI that are evidenced by the sharp uptick in cyber hacking incidents. To that end, recent guidance published by OCR provides some key insights on what specific security measures OCR may consider reasonable and appropriate to address those known and evolving threats to ePHI.

This post summarizes that guidance and outlines some key practical takeaways.

Recent OCR Guidance on Cybersecurity

In the wake of the revelation of the “Log4j” vulnerability, OCR Director Lisa Pino published a blog post at the end of February challenging HIPAA covered entities and business associates to “strengthen your organization’s cyber posture in 2022.” Pino noted some best practices for HIPAA covered entities and business associates, including:

• encryption of backups,
• frequent vulnerability scanning,
• regular patching of software and operating systems, and
• training employees on phishing and other common IT attacks.

She also pointed out several areas of compliance with the HIPAA Security Rule “needing improvement” in the health care sector based on OCR’s 2020 breach investigations. Those areas of improvement included risk analysis, risk management, information system activity review, audit controls, security awareness and training, and authentication.

Shortly after Director Pino’s post, on March 17 OCR published its quarterly Cybersecurity Newsletter, focusing on “Defending Against Common Cyber-Attacks.” The Newsletter dives deeper into some of the Director’s guidance and asserts that “most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates implemented HIPAA Security Rule requirements to address the most common types of attacks.” The Newsletter advises on how covered entities and business associates can address some of those requirements and expands on ways in which organizations can address evolving threats to the security of ePHI.

In support of its message to covered entities and business associates about the need to respond to the evolving threat landscape, the Newsletter points to a sharp increase in the number of breaches reported to OCR that were caused by hacking or IT incidents (a 45% rise from 2019 to 2020), and notes that the number of breaches due to hacking or IT incidents accounted for 66% of all breaches affecting 500 or more individuals reported to OCR in 2020.

Key Takeaways from Recent OCR Guidance

Director Pino’s post and the Newsletter contain some key insights for HIPAA covered entities and business associates about what security measures OCR may consider reasonable and appropriate in this new age of heightened cyber threats. To that end, we offer the following key practical takeaways:

1. “Check the box” workforce HIPAA training may be inadequate.

The Newsletter points out that technical solutions alone will not always prevent against the threat of a cyber-attack. Instead, OCR explains that covered entities and business associates must combine technical security measures with an “engaged, educated workforce.” Although workforce training has always been a requirement of the HIPAA Security Rule, the Newsletter expands on that requirement, suggesting that workforce training should be “ongoing,” “evolving,” and “flexible enough to educate workforce members on new and current cybersecurity threats.” In particular, the Newsletter states that HIPAA security training can be ineffective if it is “viewed by workforce members as a burdensome, ‘check the box’ exercise consisting of little more than self-paced slide presentations.” The Newsletter states that organizations should instead focus on developing innovative ways to keep workforce members engaged in understanding the role they play in protecting the organization’s ePHI.

In other words, if your workforce members have been watching the same videos and completing the same HIPAA training modules for years, consider a HIPAA training refresh. Or, query whether you could supplement your existing training modules with interactive programs or periodic security reminders that meet the expectations set out in the Newsletter.

2. Remote work conditions require special attention to access controls.

Deficient user authentication measures are another area of focus in the Newsletter. OCR points out that “weak password rules and single factor authentication are among the practices that can contribute to successful attacks,” and stresses that the strength of an organization’s authentication controls should be evaluated in light of evolving working conditions. If, for example, users access systems containing ePHI remotely, the organization should consider implementing stronger user authentication solutions than were previously deployed when workers accessed ePHI only when on the organization’s premises.

Organizations that have expanded their workforce members’ ability to access ePHI from remote locations or personal devices should thus consider implementing stronger authentication solutions, such as multi-factor authentication.

3. There’s no excuse for not addressing known vulnerabilities.

The Newsletter emphasizes that exploiting known vulnerabilities is a common method used by hackers to penetrate covered entities’ and business associates’ networks and gain access to ePHI. OCR lists several resources that these organizations can use to identify and stay up-to-date on known vulnerabilities, such as subscribing to alerts from the HHS Health Sector Cybersecurity Coordination Center, participating in an information sharing organization, implementing vulnerability scanning programs, and periodically conducting penetration tests to identify security weaknesses. Once vulnerabilities are identified, appropriate measures must be implemented to mitigate those vulnerabilities (e.g., applying patches, hardening systems, retiring legacy equipment).

From a practical perspective, addressing “known vulnerabilities” should be low hanging fruit because those vulnerabilities are—by definition—known, or able to be known with reasonable diligence. Covered entities and business associates should thus have a process in place for frequently evaluating whether any of their systems used to maintain or access ePHI include vulnerabilities that leave that data exposed to a possible attack.

4. A comprehensive, enterprise-wide risk analysis is the cornerstone of a compliant HIPAA security program.

This one might fall in the category of “old news” to some, but the number of times OCR has recently emphasized the importance of conducting a thorough, enterprise-wide risk analysis warrants a callout.

In her blog post, Director Pino put it bluntly: “I cannot underscore enough the importance of an enterprise-wide risk analysis.” In addition, throughout its discussion of the various threats to an organization’s cyber security posture, the Newsletter reminds covered entities and business associates that their risk analysis should guide the implementation of appropriate security controls. Failing to conduct a risk analysis periodically—or conducting a risk analysis that does not address all ePHI that exists across the organization—can leave your organization blind to actual threats to ePHI and unable to conduct the kind of comprehensive, forward-looking risk management strategies that OCR expects.

If your organization is covered by HIPAA and hasn’t conducted a risk analysis in a while (or ever), or if the risk analyses you have done have been too narrowly focused (e.g., only focusing on one system that maintains ePHI, such as your EHR), then now is the time to conduct a thorough enterprise-wide risk analysis.

* * * *

As OCR points out in the Newsletter, malicious attacks targeting the health care sector are likely to continue to increase. Although security attacks may not be completely preventable, there are many steps that covered entities and business associates can and should take to mitigate against evolving threats to ePHI. Ignoring those threats can leave your organization vulnerable not only to data breaches, but also to OCR investigations and enforcement actions.