In a February 28, 2022, blog post, Lisa J. Pino, Director of the Office of Civil Rights (OCR) at the U. S. Department of Health and Human Services (HHS), expressed her grave concern about the ever-increasing number of cyberattacks on covered entities and business associates.
Pino urged healthcare organizations to follow HIPAA Security Rule requirements and take immediate steps to mitigate the risk of cyberattacks.
SEE ALSO: HIPAA Compliant Email
According to OCR's Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2020, the number of data breaches exposing protected health information (PHI) continues to rise. In 2020, data breaches that exposed more than 500 patients' PHI per breach rose an astonishing 61 percent.
In her blog post, Pino stressed the urgency of risk analysis and risk mitigation, not just for the protection of electronic health records, but across the entire covered entity's or business associate's operation.
This begins, Pino stated, with knowing where your patients' electronic PHI (ePHI) is stored and used. Pino also focused on cybersecurity best practices and offered tips and resources for healthcare organizations. These best practices include:
The OCR's 2020 Annual Report includes a Lessons Learned section that describes how underprepared many healthcare organizations are for cyberattacks. Threat actors know that healthcare organizations are sometimes lax in implementing the HIPAA Security Rule's requirements and they don't hesitate to exploit this vulnerability.
The HIPAA Security Rule requires, among other things, that covered entities and business associates conduct regular risk analyses, implement risk management procedures, review information system activity, implement audit controls for systems that store or use patients' ePHI, provide security awareness training to employees, and properly authenticate the identity of anyone who asks for access to PHI.
However, OCR's investigation of more than 67,000 data breaches in 2020 found that many healthcare organizations either do not follow the Security Rule properly or do not implement its some of its requirements at all. Since OCR actively investigates breaches of unsecured PHI, a cyberattack could very well cost your organization twice—once to mitigate the effects of a cyberattack, and a second time via a fine from OCR.
HHS's recent alert concerning the protection of EHRs includes email security recommendations such as implementing email attachment sandboxing and filtering URLs.
We at Paubox also strongly recommend implementing Zero Trust Email, which uses multi-factor authentication (MFA) and robust inbound security tools to check incoming emails and verify their authenticity. Zero Trust Email uses email AI to identify legitimate email messages before they hit your inbox.