Writing in their latest quarterly newsletter, the US Department of Health and Human Services’ Office for Civil Rights (OCR) reported that the number of hacking or IT incidents which led to ePHI data breaches increased 45% from 2019 to 2020. Hacking or IT incidents accounted for 66% of all electronic protected health information (ePHI) data breaches reported to the OCR in 2020.
The majority of ePHI breaches which occurred over the previous two years could have been prevented or substantially mitigated had healthcare facilities actually implemented the HIPAA Security Rule, according to the OCR.
The OCR newsletter pointed out that the HIPAA Security Rule requires that facilities have a security awareness training program for all workforce members. The training program should be an evolving process that educates the workforce on current and new cybersecurity threats, and how they should respond.
Phishing attacks are one of the most common types of cyberattacks. During the second quarter of 2021, at least 42% of ransomware attacks involved phishing. Workforce members should be able to recognize a phishing attack and know how to take appropriate action if one is suspected.
The National Institute of Standards and Technology (NIST) provides information regarding known vulnerabilities. Careful attention should be paid to cybersecurity alerts describing newly discovered vulnerabilities. All known vulnerabilities should be closely monitored, and mitigation activities and patching should be implemented quickly.
A security management process should be implemented to prevent, detect, contain, and correct security violations. This process includes conducting a risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule requires the risk analysis to be accurate and thorough, and it should include processes that identify potential technical and non-technical vulnerabilities.
The OCR added that weak cybersecurity practices can cause an entity to become a soft target and therefore vulnerable to cyberattacks. Weak password rules and single factor authentication are among the practices that can contribute to successful attacks. Regulated entities are required to periodically review and modify implemented security measures to ensure such measures continue to protect ePHI. Further, regulated entities are required to conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI to ensure continued protection of ePHI and compliance with the Security Rule.
The OCR Quarter 1 2022 Cybersecurity newsletter can be accessed at: OCR Quarter 1 2022 Cybersecurity Newsletter | HHS.gov.
Issue:
Facilities need to be proactive in taking measures to protect their data and systems from the ever-increasing number of cyberattacks. Nursing facility leaders and privacy officers must collaborate with IT departments to ensure that all sensitive data is protected to the greatest degree possible. Staff must be trained on best practices in preventing data breaches. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6, Data Integrity.
Discussion Points:
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices in preventing data breaches.
- Train all appropriate staff on best practices to prevent data breaches. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing data breaches.