OCR Highlights How HIPAA Security Rule Compliance Can Prevent Breaches

In recent years cyberattacks have been on the rise with a 45% rise in hacking/IT incidents recorded from 2019 to 2020. In 2021 66% of breaches involving unsecured electronic protected health information (ePHI) happed as a result of hacking and other IT shortcomings.Most of these breaches could have been avoided if HIPAA-regulated entities were 100% compliant with the HIPAA Security Rule.

In its March 2022 cybersecurity newsletter the Department of Health and Human Services’ Office for Civil Rights (OCR) outlined how adhering to the HIPAA Security Rule will practically eliminate the majority of cyberattacks.

A large portion of cyberattacks that target the healthcare sector are aiming to teal revenue and attempt to illegally obtain ePHI or encrypt patient data in order to seek a ransom in return for releasing it. First access to healthcare databases is obtained used typical tactics including phishing and trying to identify known vulnerabilities and poor authentication protocols, rather than exploiting previously unknown flaws.

Coveware’s Q2, 2021 Quarterly Ransomware Report has revealed that 42% of cyberattacks using ransomware in that quarter involved initial database access that was obtained using phishing emails. Anti-phishing device including spam filters and web filters are crucial in the fight against phishing attacks. They prevent emails from being received from recognised malicious domains, scan attachments and links, and prevent access to recognised malicious websites where malware is installed or details are stolen. These tools are key security measures for protecting the confidentiality, integrity, and accessibility to ePHI.

OCR commented: “The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members.A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond”.

The Security Rule includes an addressable requirement to issue periodic security reminders to the workforce. OCR said one of the best way of releasing “security reminders” is to conduct phishing simulation emails. This is when exercises are carried out to estimate the effectiveness of the training program and enable regulated entities to spot vulnerabilities and remedy them. 

OCR said: “Unfortunately, security training can fail to be effective if it is viewed by workforce members as a burdensome, “check-the-box” exercise consisting of little more than self-paced slide presentations. Regulated entities should develop innovative ways to keep the security trainings interesting and keep workforce members engaged in understanding their roles in protecting ePHI.”

Some breach attempts aim to take advantage of previously unknown vulnerabilities (zero-day attacks) but it is much more likely that cybercriminals will aim to recognised vulnerabilities for which patches have been released already. The hope is that the patch and update for the operating systems have not been applied. This permits hackers can target these weaknesses.

OCR commented on the ongoing use of outdated, unsupported software and operating systems (legacy systems) happen regularly in the healthcare sector, saying: “Regulated entities should upgrade or replace obsolete, unsupported applications and devices (legacy systems). However, if an obsolete, unsupported system cannot be upgraded or replaced, additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur.

The HIPAA Security Rule states that regulated bodies must put in place a security management process to stop, discover, include, and address security vulnerabilities. A risk analysis must be completed and risks and vulnerabilities to ePHI must be brought down to an reasonable and appropriate level. The risk analysis and risk management process should reveal and address technical and non-technical flaws.

OCR recommends registering for alerts and bulletins from CISA, OCR, the HHS Health Sector Cybersecurity Coordination Center (HC3), and engaging in an information sharing and analysis center (ISAC). 

Cyber actors often take aim at authentication practices, such as poor passwords and single-factor authentication. The 2020 Verizon Data Breach Investigations Report suggests over 80% of breaches due to hacking involved infiltrated or brute-forced details.

OCR said: “Regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes.

“To reduce the risk of unauthorized access to privileged accounts, the regulated entity could decide that a privileged access management (PAM) system is reasonable and appropriate to implement. A PAM system is a solution to secure, manage, control, and audit access to and use of privileged accounts and/or functions for an organization’s infrastructure.  A PAM solution gives organizations control and insight into how its privileged accounts are used within its environment and thus can help detect and prevent the misuse of privileged accounts.”