Lisa J. Pino, Director of the Department of HEalth and Human Services’ (HHS) Office for Civil Rights (OCR), has urged healthcare organizations and their business associates to review their cybersecurity defenses and risk management policies and procedures this year, in light of the barrage of cyberattacks on the healthcare industry.
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to provide annual reports to Congress on HIPAA Privacy, Security, and Breach Notification Rule compliance and breaches of unsecured protected health information. The HHS has recently sent reports to Congress for calendar year 2020 which show there was a 61% increase in reported healthcare data breaches of 500 or more records and a 6% increase in breaches of 500 or fewer records. Not only has the number of healthcare data breaches reported to OCR increased the rate of increase has also increased from 2019.
It will be a year before figures are sent to Congress for calendar year 2021, but all indications so far are that attacks have continued to rise. A report published in HIPAA Journal for calendar year 2021 indicates 714 breaches of 500 or more records reported to OCR, compared to 642 in 2020.
2021 was a particularly bad year for healthcare industry data breaches, with hacking and IT incidents accounting for the majority of breaches of protected health information and the vast majority of breached records. Pino explained in a recent blog post that cybercriminals continued to take advantage of the pandemic in 2021 and have been actively targeting healthcare organizations. In some cases, the attacks have had an impact on the ability of healthcare providers to provide medical services to patients as the cyberattacks have taken IT systems, phone systems, and patient records offline, resulting in canceled appointments, surgeries, and delays in obtaining test results. Pino also drew attention to the Log4J vulnerabilities reported in December 2021, which were rapidly exploited by many different types of threat actor to achieve a variety of aims.
It is probable that 2022 will be yet another record-breaking year for healthcare industry data breaches, so it is vital for all healthcare organizations to take steps to prepare for attacks and strengthen their cybersecurity defenses. Pino explained that OCR’s investigations, compliance reviews, and audits of HIPAA-regulated entities have uncovered many cases of non-compliance with the requirements of the HIPAA Security Rule. For instance, the Security Rule requires a comprehensive risk analysis to be conducted to identify all risks and vulnerabilities to ePHI. Many healthcare providers have only partially satisfied this requirement as they have only conducted a risk analysis on their electronic health records, when ePHI is also stored in many other systems.
“I cannot underscore enough the importance of enterprise-wide risk analysis,” said Pino. “You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.” Pino also explained that risk management strategies must be comprehensive in scope.
In addition to reviewing and revising risk management policies and procedures, Pino strongly advises HIPAA-regulated entities to ensure they are following cybersecurity best practices and are backing up their data, testing their backups, patching software promptly, updating operating systems, and are conducting regular scans to identify vulnerabilities, especially on Internet-facing systems.
“We owe it to our patients, and industry, to improve our cybersecurity posture in 2022 so that health information is private and secure,” said Pino. She also confirmed at the 31st annual HIPAA Summit that OCR is continuing to enforce compliance with the HIPAA Rules.