HHS’ Office for Civil Rights (OCR) Director Lisa J. Pino is urging HIPAA-regulated entities to improve their cybersecurity posture in 2022 following a year of increased hacking activity and data breaches. There are no indications that the hacking attempts will fall in 2022 and worse could well be yet to come. The HHS’ Health Sector Cybersecurity Coordination Center (HC3), along with the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued security alerts warning of an increased risk of cyberattacks in recent days.
In a recent blog post, the OCR Director drew attention to an increase in hacking and IT incidents in the healthcare sector in 2021, as cybercriminals and other threat groups took advantage of the COVID-19 pandemic. Ransomware attacks in 2021 continued to plague the healthcare industry and more than once resulted in critical systems being taken offline, which had an impact on patient care. Appointments and surgeries had to be canceled, test results were delayed, as were chemotherapy and radiology exams due to system disruption and no access to patient records. There was also a major increase in reported vulnerabilities, with Pino drawing attention to the Log4J vulnerabilities that were announced in December. The open source Java-based logging facility has been used in many healthcare applications and hackers were quick to exploit the vulnerabilities to gain access to networks.
Pino said that all of these issues underscore the need for healthcare organizations to be vigilant and take a proactive approach to cybersecurity and ensure cybersecurity best practices are followed. Cyberattacks often aim to prevent access to business-critical information and patient records. It is essential for a swift recovery that backups of essential data are performed, that the backups are tested to make sure they can be used to recover files, and for backups to be encrypted and stored offline.
Vulnerabilities are often identified in operating systems and software, and they are often rapidly exploited by threat actors. Updates and patches should be performed promptly, and healthcare organizations should conduct regular vulnerability scans and take steps to mitigate security issues rapidly. The HIPAA Security Rule has a requirement to provide security awareness training to the workforce. Pino explained that employees should be trained how to identify phishing attacks and other common scams that target employees. “I call on covered entities and business associates in 2022 to strengthen your organization’s cyber posture,” said Pino.
The HHS has recently submitted annual reports to Congress for the calendar year 2020, as required by the HITECH Act, on breaches of protected health information and HIPAA enforcement actions. The reports show there has been a 61% increase in large data breaches of 500 or more healthcare records since 2019 and also an increase in small healthcare data breaches. 656 notifications about large data breaches were received by OCR in 2020, 429 of which were hacking incidents, and 199 involved the use of ransomware.
OCR’s investigations into data breaches, audits, and compliance reviews have uncovered many cases of non-compliance. One of the common areas of non-compliance is the risk analysis requirement of the HIPAA Security Rule. A risk analysis must be conducted to identify risks and vulnerabilities to the confidentiality, integrity, and availability of all PHI, yet many healthcare organizations have only conducted a risk analysis on their electronic medical records when PHI is stored in many places on healthcare organizations’ networks. The HIPAA Security Rule is clear about the requirement to conduct an organization-wide risk analysis. Pino also emphasized the need for risk management strategies that are comprehensive in scope and urged HIPAA-regulated entities to review their risk management policies and procedures.
Pino also provided an update on OCR’s HIPAA enforcement priorities at the 31st Annual HIPAA Summit and confirmed that OCR’s robust enforcement of compliance with the HIPAA Rules will continue in 2022, especially non-compliance with the HIPAA Right of Access.