Summer season 2021 Cybersecurity E-newsletter—Controlling Entry to ePHI: For Whose Eyes Solely? (July 14, 2021); CISA: New StopRansomware.gov web site—The U.S. Authorities’s One-Cease Location to Cease Ransomware (July 15, 2021)
OCR has launched its Summer season 2021 Cybersecurity E-newsletter, emphasizing the significance of regulating entry to PHI utilizing the HIPAA safety rule’s requirements for info entry administration and entry management. OCR observes that these requirements are complementary necessities that may assist be sure that workforce members are licensed to entry solely mandatory PHI and restrict potential unauthorized entry of each hackers and malicious insiders. Listed below are key factors from the e-newsletter for every commonplace:
Info entry administration. This commonplace is classed as an administrative safeguard below the safety rule and has typically relevant implementation specs for (1) entry authorization and (2) entry institution and modification. Entry authorization focuses on insurance policies for granting workforce members entry to PHI, similar to find out how to request entry and the factors for granting entry to explicit techniques, functions, and information primarily based on workforce roles. Compared, entry institution and modification addresses the procedural elements of creating, documenting, reviewing, and modifying customers’ entry to workstations, transactions, packages, and processes. This implementation specification focuses on entry adjustments, similar to a workforce member being promoted or a lined group shifting to distant work throughout a pandemic, to make sure that workforce members’ entry continues to be applicable for his or her roles.
Entry management. This commonplace is classed as a technical safeguard, requiring lined entities and enterprise associates to limit entry to PHI in accordance with their entry administration course of. The usual consists of 4 implementation specs. Distinctive person identification is required to make sure accountability of particular person customers and facilitate investigations when intrusions happen. Emergency entry procedures are relevant to conditions through which the conventional procedures for accessing PHI are unavailable. Automated logoff reduces the chance of unauthorized entry when customers neglect or are unable to terminate their work periods. Lastly, encryption reduces the dangers and prices of unauthorized entry to PHI—plus encrypted PHI is just not thought-about unsecured and, consequently, is just not topic to HIPAA breach notification.
The day after OCR revealed its cybersecurity e-newsletter, the federal Cybersecurity & Infrastructure Safety Company (CISA) introduced the launch of a brand new web site to assist private and non-private organizations defend in opposition to ransomware. In accordance with CISA, the web site is an interagency useful resource giving customers one central location for ransomware assets and alerts. CISA plans to develop the assets and knowledge out there on the web site.
EBIA Remark: The periodic cybersecurity newsletters spotlight HIPAA compliance and enforcement problems with curiosity to OCR. Whereas the ransomware web site is just not particular to HIPAA, hackers intent on putting in ransomware first want entry to weak techniques. Thus, there’s a clear connection between entry controls and ransomware protection, making these new assets really helpful studying for lined entities and enterprise associates. For extra info, see EBIA’s HIPAA Portability, Privacy & Security handbook at Sections XXX.B (“Administrative Safeguards”) and XXX.D (“Technical Safeguards”). You may additionally be thinking about our upcoming webinar “Practical Application of HIPAA Use and Disclosure Rules for Group Health Plans” (stay on 8/12/2021).
Contributing Editors: EBIA Workers.