The Office of Civil Rights (OCR) released its Q1 2022 Cybersecurity Newsletter March 17. Let’s review OCR’s guidance for HIPAA-Covered Entities (CEs) who house and transmit protected health information (PHI).
Note: CE’s aren’t only hospitals and insurers; health plans (Plans) are CEs under HIPAA. Employers who sponsor such Plans typically “perform” actions required by the HIPPA. Plans’ brokers and advisers may also be CEs under HIPAA, as well as being Business Associates (BAs) of the Plan. Therefore, they too must follow HIPAA’s Security Rule regulations to protect the Plan’s electronic PHI (ePHI).
The U.S. Department of Defense (DOD) published its new software modernization strategy February 1, 2022. Russia invaded the Ukraine February 24, 2022. Searching “Russian cyber-attacks” this afternoon generated 45.5 million results. Given rising fear of cyber attacks, this quarter’s OCR newsletter brings urgent energy to review of information systems of CEs who often take HIPAA security compliance less seriously (and often poorly applied) than necessary.
- Per OCR’s newsletter: “Unfortunately, many regulated entities continue to underappreciate the risks and vulnerabilities of their actions or inaction (g.,increased risk of remote access, unpatched or unsupported systems, not fully engaging workforce in cyber defense). Cyber-attacks are especially critical in the health care sector as attacks on ePHI can disrupt the provision of health care services to patients.”
HIPAA compliance isn’t glamourous, and it can be complicated. Due to such lackluster complexity, compliance management is often overlooked or at the bottom of the list when purse strings tighten. Too bad; it’s a required preventive scheme. HIPAA compliance is more sturdy work boot than sassy heel.
When the DOD feels their “adaptability increasingly relies on software and the ability to securely and rapidly deliver resilient software capability” then perhaps it’s worth the extra time and investment for a CE to evaluate the effectiveness of their HIPAA compliance. Because HIPAA requires CEs to comply (and because everyone’s ePHI is flowing within the encrypted-universe’s river), it’s time to protect and strengthen those work boots for the long haul.
The Solution… “Active Prevention”
I dubbed the term, “active prevention” to illustrate that a CEs HIPAA’s Security Rule compliance must not collect dust on the shelf. It requires a perspective shift in conducting business. Let’s illustrate with metaphors: instead of HIPAA compliance being Sisyphus, endlessly trudging up a hill only to retreat daily and start again, think about compliance as brushing your teeth. Dental cleaning is a daily “active prevention”; cybersecurity should also be a regular assessment of the health of systems (monthly, even annually is better than most).
- Per OCR’s newsletter: “…[M]ost cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates (“regulated entities” or “CEs”) implemented HIPAA Security Rule requirements to address the most common types of attacks, such as phishing emails, exploitation of known vulnerabilities, and weak authentication protocols.”
Gingivitis and cavities may never occur if dental hygiene is attended. Similarly, “phishing” of e-mails and ePHI breaches are less likely to occur with diligent care given to systems supporting PHI within an organization. Let’s not forget that vulnerabilities do exist. “Active prevention” identifies these if we critically assess systems and ask questions about behaviors.
To bookend this comparison, let’s chat fluoride. Fluoride? Yes, fluoride, a “safeguard.” Sugar is a common vulnerability to the maintenance of dental health. We may not consider the volume of our daily sugar intake. Consuming web content is a common vulnerability to maintenance of a strong IT system. Employees using company hardware are consuming content in the form of spam e-mail, streaming content, marketing pop-ups, and website cookies. These “sweets” are common vulnerabilities that if not mitigated using encryption software (a cybersecurity safeguard, i.e., the fluoride), may lead to a breach of ePHI.
What’s a CE to do? Actively prepare and prevent in accordance with HIPAA Rules. That seems a bit broad, I know. And no joke, HIPAA is vast, and the Security Rule is complex to implement. For this post, let’s narrow our focus to cybersecurity respecting three threats OCR recommends watching for, the underlying HIPAA regulation to support guarding against this threat, and solutions to mitigate each risk.
Threat 1: Phishing
- Per OCR’s newsletter: “Phishing is a [common] type of cyber-attack used to trick individuals into divulging sensitive information via electronic communication, such as email, by impersonating a trustworthy source. A recent report noted that 42% of ransomware attacks in Q2 2021 involved phishing. Regulated entities should follow up on security training with periodic security reminders.”
Underlying HIPAA Regulations:
- Security Rule: Transmission Security, a technical safeguard
- Privacy Rule: Training the Workforce, an administrative safeguard
- CEs are required to both train & document their workforce training regarding security awareness in all business systems, including software and e-mail usage. Train staff on what to look for in suspicious e-mails. The Security Officer and IT team are responsible for regular testing of software systems and evaluating their effectiveness. Applied, this may be “testing” the system with simulated phishing emails to workforce members and assessing their responses.
Threat 2: Exploiting Known Vulnerabilities
- Per OCR’s newsletter: “Hackers can penetrate [the] network and gain access to ePHI by exploiting known vulnerabilities. A known vulnerability is a vulnerability whose existence is publicly known. Exploitable vulnerabilities can exist in many parts of a regulated entity’s information technology infrastructure (g., server, desktop, and mobile device operating systems; application, database, and web software; router, firewall, and other device firmware).”
Underlying HIPAA Regulations:
- Security Rule: Access & Audit Control; Integrity; and Transmission Security, each a technical standard
- Privacy Rule: Security Management Process, an administrative safeguard including a required risk analysis
CONDUCT a Risk Analysis (RA) and do so regularly. The RA is what I call the “holy grail” of a strong security program. A CE worth its salt should not avoid conducting a RA or think that a “one and done” approach will suffice. Known vulnerabilities will be exposed with regular analysis of systems. It’s hard to fix a problem if you don’t know where one exists, and even harder to prepare for it if you don’t what you’re dealing with from the beginning.
The RA is a living process and must be documented and maintained regularly (I recommend at least annually, not to mention anytime a CE undergoes major business operations changes or installs new systems or software). In fact, the Security Rule states:
- “A CE or BA must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
Keep up to date on cybersecurity news; hackers are savvy and so too should be CEs responsible for protecting their PHI. The OCR recommends the following to mitigate known vulnerabilities:
- Apply vendor patches or upgrading to a newer version.
- Upgrade or replace obsolete, unsupported applications and devices (legacy systems).
- Implement a security management process to prevent, detect, contain, and correct security violations, including conducting a risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Threat 3: Weak Cybersecurity Practices
The final (and I would argue, the simplest) recommendation from OCR in the newsletter is to implement strong internal cybersecurity practices. Think of it as checking off the “low hanging fruit” boxes of implementing a security management program.
- Per OCR’s newsletter: “… [Weak] cybersecurity practices make…an attractive soft target. Weak authentication requirements are frequent targets of successful cyber-attacks (over 80% of breaches due to hacking involved compromised or brute-forced credentials). Weak password rules and single factor authentication are among [weak practices].
Underlying HIPAA Regulation:
- Security Rule: Person or Entity Authentication, a technical standard
- Per OCR’s newsletter: “…[regulated entities] are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes. A regulated entity’s risk analysis should guide its implementation of appropriate authentication solutions to reduce the risk of unauthorized access to ePHI.
There’s that RA again! Conducting a RA is not only essential to identify vulnerabilities, but necessary to establish strong cybersecurity practices. Once the RA is complete, the process of shaping an effective security program begins. Then, at the one-year mark (or when operations dictate or the security team determines), a new RA should be conducted to evaluate the effectiveness of security practices.
Don’t take it from me, listen to the OCR on actions for regulated entities:
- “Periodically examine the strength and effectiveness of…cybersecurity practices and increase or add security controls to reduce risk as appropriate.”
- “Periodically review and modify implemented security measures to ensure such measures continue to protect ePHI.”
- “Conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI to ensure continued protection of ePHI and compliance with the Security Rule (e.g., the implementation of new technology, identification of new threats to ePHI, and organizational changes such as a merger or acquisition.”
It’s simple folks, and OCR said it well, “standards and implementation specifications of the HIPAA Security Rule provide a baseline for protecting ePHI.”