OCR has launched its Cybersecurity Publication for the primary quarter of 2022, emphasizing some core safety safeguards. Based on the publication, though some cyberattacks could also be subtle and exploit beforehand unknown vulnerabilities, most assaults might be prevented or considerably mitigated if HIPAA coated entities and enterprise associates (“regulated entities”) carried out safety rule safeguards towards the commonest kinds of assaults, similar to phishing emails, exploitation of recognized vulnerabilities, and evasion of entry controls. Listed here are key factors from the publication for every assault kind:
Phishing. Phishing is used to trick people into divulging delicate data by way of digital communication, similar to e mail, by impersonating a reliable supply. All regulated entities’ workforce members ought to perceive their position in defending PHI and be capable to detect suspicious emails and take acceptable motion. An ongoing safety consciousness and coaching program, which the safety rule requires for all workforce members, might be an efficient first line of protection and an integral a part of a regulated entity’s technique to defend, mitigate, and forestall phishing assaults. Coaching ought to evolve to handle new and present cybersecurity threats, with participation by senior executives who could also be focused for phishing assaults due to their entry to delicate PHI. Along with schooling, anti-phishing applied sciences—similar to blocking emails from malicious addresses and scanning internet hyperlinks and attachments for threats—can scale back the danger and penalties of phishing assaults.
- Identified Vulnerabilities. Hackers can penetrate a regulated entity’s community and acquire entry to PHI by exploiting publicly recognized vulnerabilities. Identified vulnerabilities are publicly recognizable, and plenty of are tracked by the Nationwide Institute of Requirements and Know-how (NIST) within the Nationwide Vulnerability Database. Vulnerabilities can exist all through data know-how infrastructure (e.g., server, desktop, and cell system working methods; software, database, and internet software program; and router, firewall, and different firmware). Identified vulnerabilities typically might be mitigated with patches or upgrades to newer variations—or different mitigation actions could also be out there if software program, units, or functions are now not supported (see our Checkpoint article). Regulated entities must be vigilant for cybersecurity alerts describing newly found vulnerabilities; the publication lists some sources of alerts.
Entry Controls. The safety rule requires processes to confirm that individuals or entities looking for entry to PHI are who they declare to be, and to limit entry to PHI to solely those that want it. Weak authentication necessities, insufficient password guidelines, and single issue authentication create alternatives for unauthorized entry. As soon as inside a corporation, attackers can additional exploit weak entry controls by infiltrating privileged accounts, transferring to a number of laptop methods, deploying malicious software program, and exfiltrating delicate information. The publication highlights the utility of privileged entry administration (PAM) options.
EBIA Remark: OCR’s periodic cybersecurity newsletters spotlight well timed HIPAA compliance and enforcement points. Though the headlines differ, the core message persistently underscores the significance of the danger evaluation, steady analysis and modification of safeguards, workforce coaching, patches, and technical options. The publication concludes with an intensive record of cybersecurity sources that regulated entities could discover particularly helpful. For extra data, see EBIA’s HIPAA Portability, Privateness & Safety guide at Sections XXX.B (“Administrative Safeguards”) and XXX.D (“Technical Safeguards”). You might also be excited about our webinar “HIPAA Breaches: Preparation and Response” (recorded on 1/26/22).
Contributing Editors: EBIA Employees.
