HHS-OCR Publishes Guidance for Healthcare Organizations to Improve Cybersecurity

In a recent Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights (OCR) published guidance on basic cybersecurity safeguards for healthcare organizations to implement in order to promote cyber resilience and mitigate the impact of attempted cyberattacks.

The electronic protected health information (ePHI) of patients is very valuable, and hackers are actively attacking the data systems of healthcare organizations in attempts to access sensitive information. Accordingly, the recent guidance focuses on several safeguards that require minimal financial investment and that OCR views as providing major benefits to improve the cybersecurity postures for both HIPAA-covered entities and business associates. The specific safeguards highlighted by OCR are:

Data Encryption

Encryption can be used to render sensitive patient data unreadable to non-authorized users. Such encrypted data is made intelligible only when accessed by an authorized user who possess the encryption key. Thus, OCR notes that encrypting ePHI may substantially reduce the risk of the data becoming compromised. Also, federal regulations require both HIPAA-covered entities and business associates to consider whether encryption is a reasonable and appropriate safeguard to protect ePHI contained on the organizations’ systems.

Phishing Awareness and Training

OCR highlights how “phishing” has become a common and effective tactic that hackers use to steal login credentials such as usernames and passwords. Once a hacker acquires a user’s credentials, the hacker can then use them to access sensitive data within a system. Such phishing schemes work by sending emails that either entice the user to disclose the login credentials or install malicious software that mines the user’s computer for sensitive data. Healthcare organizations should implement spam filters and anti-malware on systems and train staff to become familiar with identifying suspicious emails. Such training should be part of a healthcare organization’s security awareness and training program that is required by HIPAA regulations.

Audit Logs

Audit logs can record when and how information is accessed, used, or transferred on specific devices, software, or systems. OCR views audit logs as an important tool that healthcare organizations should implement and frequently review to detect suspicious activity. Also, implementing and regularly monitoring audit logs is required by HIPAA’s security rule.

Secure Configuration of Software and Devices

Safeguards such as data encryption, spam filters, anti-malware software, firewalls, and audit logs work best when they are consistently and properly configured throughout an entire healthcare organization. This includes properly configuring all devices used to access ePHI, including laptops, tablets, and mobile devices. Gaps in configuration can be exploited by hackers even when an organization has intended to implement multiple cyber safeguards. Accordingly, healthcare organizations should keep logs of software and device configurations, and regularly seek to identify potential vulnerabilities to ensure proper system-wide configurations.