Because the Director of the Workplace for Civil Rights on the U.S. Division of Well being and Human Providers (OCR), prioritizing cyber safety and affected person privateness is of the utmost concern. From my years in authorities service, I perceive cyberattacks all too properly from my function on the U.S. Division of Homeland Safety the place I drove the company’s response to the 2015 U.S. cyber breach mitigation of 4 million federal personnel and 22 million surrogate profiles, which on the time was the most important hack in federal historical past. Now because the OCR Director, I’m persevering with this essential work main HHS’s enforcement of the Well being Insurance coverage Portability and Accountability Act (HIPAA) Privateness, Safety, and Breach Notification Guidelines.
Cyberattacks grabbed headlines all through 2021 as hacking and IT incidents affected authorities companies, main firms, and even provide chains for important items, like gasoline. For healthcare, this yr was much more turbulent as cybercriminals took benefit of hospitals and healthcare programs responding to the Covid-19 pandemic. A couple of well being care supplier was compelled to cancel surgical procedures, radiology exams, and different providers, as a result of their programs, software program, and/or networks had been disabled. And on the finish of December, a vital vulnerability in a broadly used Java-based software program often known as “Log4j” grabbed headlines with warnings in regards to the potential dangers this safety flaw may pose for organizations of all sizes. Such unpatched vulnerabilities give hackers quick access to a company’s pc server, and attainable entry into different elements of a community. These stories underscore why it’s so essential for well being care to be vigilant of their method to cybersecurity. With these dangers in thoughts, I want to name on lined entities and enterprise associates to strengthen your group’s cyber posture in 2022.
All too typically, we see that danger analyses solely cowl the digital well being file. I can not underscore sufficient the significance of enterprise-wide danger evaluation. Danger administration methods must be complete in scope. You need to absolutely perceive the place all digital protected well being info (ePHI) exists throughout your group – from software program, to linked units, legacy programs, and elsewhere throughout your community.
For those who haven’t checked out your danger administration insurance policies and procedures lately to stop or mitigate these issues, now could be the time to take action. Some finest practices embody:
- Sustaining offline, encrypted backups of knowledge and often take a look at your backups;
- Conducting common scans to establish and handle vulnerabilities, particularly these on internet-facing units, to restrict the assault floor;
- Common patches and updates of software program and Working Techniques; and
- Coaching your staff concerning phishing and different frequent IT assaults.
Good cyber hygiene habits assist preserve your community wholesome and shield the ePHI in your programs. OCR is right here to assist with steering and sources:
As a part of the whole-of- authorities response to assist private and non-private organizations defend towards the rise in ransomware instances, the Cybersecurity and Infrastructure Safety Company (CISA) launched StopRansomware.gov with sources designed to assist organizations perceive the specter of ransomware, mitigate danger, and within the occasion of an assault, know what steps to take subsequent.
Lastly, our workplace has issued the 2020 Annual Report back to Congress on HIPAA Privateness, Safety, and Breach Notification Rule Compliance, and 2020 Annual Report back to Congress on Breaches of Unsecured Protected Well being Data. These stories spotlight the continued want for regulated entities to enhance compliance with the HIPAA Safety Rule requirements, particularly the implementation specs of danger evaluation and danger administration, info system exercise evaluate, audit controls, safety consciousness and coaching, and authentication. All of those compliance issues had been recognized as areas needing enchancment in 2020 OCR breach investigations.
We owe it to our sufferers, and business, to enhance our cybersecurity posture in 2022 in order that well being info is non-public and safe.
Lisa J. Pino, Director, Workplace for Civil Rights, U.S. Division of Well being and Human Providers