In recognition of National Cybersecurity Awareness Month, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a newsletter on cybersecurity awareness and how best to protect the privacy and security of confidential data.
According to the newsletter, cybersecurity incidents and data breaches continue to increase across all sectors. A 2022 cybersecurity firm report noted a 42 percent increase in cyberattacks for the first half of 2022 compared to 2021, and a 69 percent increase in cyberattacks targeting the healthcare sector. The number of data breaches occurring in the healthcare sector also continue to rise. Breaches of unsecured protected health information (PHI), including electronic protected health information (ePHI), reported to OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021. Seventy-four percent of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the healthcare sector, hacking is now the greatest threat to the privacy and security of PHI. A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.
The newsletter details how to form a security incident response team to conduct regular testing of security incident procedures. It also explains how to respond to security incidents, how to mitigate any harmful effects of a security incident, how to document the security incident, and facility breach reporting obligations.
OCR said that security incidents will almost inevitably occur during the lifetime of a regulated entity. Having a plan established and documented is essential to being able to detect security incidents quickly in order to respond to and recover from security incidents effectively. The October 2022 OCR Cybersecurity Newsletter can be found here.
Issue:
Within the healthcare sector, the HIPAA Security Rule applies to covered entities and their business associates (“regulated entities”) and ePHI. Because ePHI identifies individuals and includes information relating to an individual’s health, treatment, or payment information, it is a valuable target for cybercriminals. The HIPAA Security Rule requires regulated entities to “implement policies and procedures to address security incidents.” This means regulated entities need to have a plan in place and documented for responding to security incidents (suspected or known) that includes:
- identifying security incidents;
- responding to security incidents;
- mitigating harmful effects of security incidents; and
- documenting security incidents and their outcomes.
Discussion Points:
- Review facility policies and procedures on cybersecurity, including the designation of appropriate personnel to be members of the facility’s security incident response team. Ensure that policies are kept current based on best practices in preventing data breaches.
- Train all appropriate staff on best practices to prevent data breaches. Also train staff on the processes to identify and determine the scope of security incidents. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing data breaches and in reporting requirements. Also regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports.