OCR has released its Cybersecurity Newsletter for the first quarter of 2022, emphasizing some core security safeguards. According to the newsletter, although some cyberattacks may be sophisticated and exploit previously unknown vulnerabilities, most attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates (“regulated entities”) implemented security rule safeguards against the most common types of attacks, such as phishing emails, exploitation of known vulnerabilities, and evasion of access controls. Here are key points from the newsletter for each attack type:
Phishing. Phishing is used to trick individuals into divulging sensitive information via electronic communication, such as email, by impersonating a trustworthy source. All regulated entities’ workforce members should understand their role in protecting PHI and be able to detect suspicious emails and take appropriate action. An ongoing security awareness and training program, which the security rule requires for all workforce members, can be an effective first line of defense and an integral part of a regulated entity’s strategy to defend, mitigate, and prevent phishing attacks. Training should evolve to address new and current cybersecurity threats, with participation by senior executives who may be targeted for phishing attacks because of their access to sensitive PHI. In addition to education, anti-phishing technologies—such as blocking emails from malicious addresses and scanning web links and attachments for threats—can reduce the risk and consequences of phishing attacks.
Known Vulnerabilities. Hackers can penetrate a regulated entity’s network and gain access to PHI by exploiting publicly known vulnerabilities. Known vulnerabilities are publicly recognizable, and many are tracked by the National Institute of Standards and Technology (NIST) in the National Vulnerability Database. Vulnerabilities can exist throughout information technology infrastructure (e.g., server, desktop, and mobile device operating systems; application, database, and web software; and router, firewall, and other firmware). Known vulnerabilities often can be mitigated with patches or upgrades to newer versions—or other mitigation actions may be available if software, devices, or applications are no longer supported (see our Checkpoint article). Regulated entities should be vigilant for cybersecurity alerts describing newly discovered vulnerabilities; the newsletter lists some sources of alerts.
Access Controls. The security rule requires processes to verify that persons or entities seeking access to PHI are who they claim to be, and to restrict access to PHI to only those who need it. Weak authentication requirements, inadequate password rules, and single factor authentication create opportunities for unauthorized access. Once inside an organization, attackers can further exploit weak access controls by infiltrating privileged accounts, moving to multiple computer systems, deploying malicious software, and exfiltrating sensitive data. The newsletter highlights the utility of privileged access management (PAM) solutions.
EBIA Comment: OCR’s periodic cybersecurity newsletters highlight timely HIPAA compliance and enforcement issues. Although the headlines vary, the core message consistently underscores the importance of the risk analysis, continuous evaluation and modification of safeguards, workforce training, patches, and technical solutions. The newsletter concludes with an extensive list of cybersecurity resources that regulated entities may find especially useful. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXX.B (“Administrative Safeguards”) and XXX.D (“Technical Safeguards”). You may also be interested in our webinar “HIPAA Breaches: Preparation and Response” (recorded on 1/26/22).
Contributing Editors: EBIA Staff.