OCR Recommends Cybersecurity Best Practices for Healthcare Organizations

The Department of Health and Human Services’ Office for Civil Rights has reminded healthcare organizations about fundamental cybersecurity best practices that should be adopted to boost resilience to cyber threats and minimize the effect of attempted cyberattacks.

All businesses, especially those in the healthcare industry, must have policies, procedures, and technical controls in place to make it harder for hackers to gain access to their networks and data.

Healthcare organizations should protect their systems against cyberattacks by investing in technologies to safeguard the network perimeter, identify infiltrations, and block phishing threats and malware. Larger healthcare providers most likely have the means to invest heavily in cybersecurity solutions, but smaller HIPAA-covered entities and business associates might struggle to find the resources to devote to cybersecurity. Fortunately, many of the recommendations are highly effective but can be applied without a major financial commitment.

The cybersecurity best practices recommended by OCR for healthcare organizations are detailed below. These four cybersecurity best practices are also important for HIPAA compliance.

Data Encryption

Encryption is an addressable requirement of the HIPAA Security Rule, yet it is considered to be one of the most important cybersecurity safeguards to ensure the confidentiality of ePHI. Encryption is a process that converts data to an encrypted form that is more secure. If applied correctly, it renders data unintelligible without a decryption key. Be sure to choose an encryption mechanism that is recommended by NIST. Not all encryption standards are equal.

Social Engineering Awareness

Many healthcare data breaches are caused by email hacking incidents. Cyber criminals use phishing emails to lure healthcare employees into disclosing their email credentials or installing malware. Phishing is a highly effective social engineering tactic for gaining access to ePHI. The use of email gateway cybersecurity solutions can minimize the number of phishing emails that are delivered to inboxes; however, it is not possible to rely 100% on technology. Some emails will make it past perimeter defenses, therefore healthcare employees should be trained how to recognize social engineering attacks. Regular security awareness training sessions reduce vulnerability to phishing attacks and are a requirement for HIPAA Security Rule compliance.

Audit Logs

HIPAA-covered entities must generate and monitor audit logs, which should contain a record of events associated with particular systems, equipment, and software. By examining audit logs on a regular basis, security teams can discover when unauthorized persons are attempting to gain access to ePHI prior to a data breach occurring. Audit logs also make it possible to identify past data breaches.

Proper Configuration of Software and Network Equipment

Network devices, software, and cloud-based services may have the required security controls to prevent unauthorized individuals from gaining access to data, but it is up to the covered entity to ensure that security controls are configured correctly. There have been many data breaches caused by an accidental misconfiguration or inactivation of firewalls and security controls. Security teams should conduct audits to check that all systems, software programs, and devices are properly configured and appropriate patches have been applied.