A blog from the U.S. Department of Health and Human Services (HHS) entitled, “Improving the Cybersecurity Posture of Healthcare in 2022” by Lisa Pino, director, Office for Civil Rights (OCR), was published on Feb. 28. The blog recommends HIPAA covered entities and business associates to “strengthen their cyber posture in 2022.”
Just this week, we reported that the American Hospital Association (AHA) published a cybersecurity advisory warning that Russia may use cyberattacks as a form of retaliation due to the economic and military sanctions placed on the country by the U.S. government and NATO allies.
Also this week, Mac McMillan, president and CEO of the Austin, Texas-based CynergisTek cybersecurity consulting firm, shared his perspectives with Healthcare Innovation Editor-in-Chief Mark Hagland, on the potential for the Russian invasion of Ukraine to indirectly impact IT in the U.S. healthcare system, particularly with regard to supply chain.
Pino states that “Cyberattacks grabbed headlines throughout 2021 as hacking and IT incidents affected government agencies, major companies, and even supply chains for essential goods, like gasoline. For healthcare, this year was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the COVID-19 pandemic. More than one healthcare provider was forced to cancel surgeries, radiology exams, and other services, because their systems, software, and/or networks had been disabled. And at the end of December, a critical vulnerability in a widely used Java-based software known as ‘Log4j’ grabbed headlines with warnings about the potential risks this security flaw could pose for organizations of all sizes. Such unpatched vulnerabilities give hackers easy access to an organization’s computer server, and possible entry into other parts of a network. These reports underscore why it is so important for healthcare to be vigilant in their approach to cybersecurity. With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022.”
“All too often, we see that risk analyses only cover the electronic health record. I cannot underscore enough the importance of enterprise-wide risk analysis” Pino continues. “Risk management strategies need to be comprehensive in scope. You should fully understand where all electronic protected health information (ePHI) exists across your organization—from software, to connected devices, legacy systems, and elsewhere across your network.”
According to Pino, some risk management policies and procedures best practices include:
- Maintaining offline, encrypted backups of data and regularly testing backups
- Performing regular scans to detect and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface
- Frequent patches and updates of software and Operating Systems
- Employee training regarding phishing and other IT attacks
Moreover, “Good cyber hygiene habits help keep your network healthy and protect the ePHI on your systems. OCR is here to help with guidance and resources:
- Ransomware: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
- Cybersecurity: https://www.hhs.gov/hipaa/forprofessionals/security/guidance/cybersecurity/index.html
- Risk Analysis: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
- HHS Security Risk Assessment Tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool”
Additionally, as part of the government’s response to help private and public organizations defend against the upsurge in ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) launched StopRansomware.gov that provides valuable resources about ransomware and what steps to take in the event of an attack.
Pino concludes by saying that “Finally, our office has issued the 2020 Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, and 2020 Annual Report to Congress on Breaches of Unsecured Protected Health Information. These reports highlight the continued need for regulated entities to improve compliance with the HIPAA Security Rule standards, in particular the implementation specifications of risk analysis and risk management, information system activity review, audit controls, security awareness and training, and authentication. All of these compliance concerns were identified as areas needing improvement in 2020 OCR breach investigations.”