OCR Newsletter Highlights Preventive Steps Against HIPAA Security Threats

The HHS Office of Civil Rights (OCR) released its Quarter 1 2022 Cybersecurity Newsletter, which features practical guidance for HIPAA covered entities related to security threats. The number of breaches of unsecured electronic protected health information (ePHI) increased 45% from 2019 to 2020 (for breaches affecting 500 individuals or more). Examples of the most common attacks are phishing emails, weak authentication protocols, and exploitation of known vulnerabilities.

While encryption technology has become more common and affordable, it is still not required under HIPAA Security rules. It is an addressable provision. This means that after conducting a risk analysis, a covered entity (which includes an employer plan sponsor of a group health plan) must review whether encryption is reasonable and appropriate for the entity and its ePHI. Encrypted ePHI is considered to be secure and may not be determined as a breach when a device is stolen. Therefore, encryption is always the best safeguard for ePHI.

Phishing is a common type of cyber-attack. The sender typically impersonates a trusted source or contact in an effort to trick the recipient into divulging private information or clicking a link that is used to access the company’s data. To protect against phishing, an entity should:

• Implement an ongoing security awareness and training program for all workforce members
• Follow-up on the training with security reminders, which could include sending workforce members a simulated phishing email to gauge their response
• Adopt anti-phishing technologies such as identifying emails sent from outside the organization, including scanning attachments and links of emails for potential threats and blocking when appropriate

Weak authentication protocols include weak password rules and single-factor authentication. Over 80% of breaches due to hacking include exploitation of credentials. To protect against these types of breaches, an entity should:

• Implement multi-factor authentication
• Adopt and follow procedures for terminating access following a change in role or termination of employment of a workforce member
• Monitor potential hacking attempts and implement new technology as necessary

Vulnerabilities may exist in an entity’s technology infrastructure, including servers, mobile device applications, databases, firewalls, and software. For protection, an entity should monitor security alerts for newly discovered vulnerabilities. OCR recommends subscribing to alerts from HHS Health Sector Cybersecurity Coordination Center. When learning about a vulnerability, the entity should apply the patch or new version, as recommended.

In summary, the safeguarding of ePHI related to a group health plan is becoming increasingly more complicated as cyberattacks become more sophisticated. Employer plan sponsors should work with their technology partners to continually review, monitor and implement policies and procedures.

OCR Newsletter »