In recognition of National Cybersecurity Awareness Month, the Office of Civil Rights (OCR) issued its October 2022 Cybersecurity Newsletter addressing best practices and tips for compliance with HIPAA’s Security Rule. The Newsletter discussed the ever-increasing need for members of the healthcare industry to be vigilant in their practices, as research shows a 42% increase in cyber-attacks in the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the healthcare sector alone. Moreover, OCR reported that in 2021, 74% of the reported breaches involved hacking/IT incidents. As a result, OCR has identified hacking as the greatest threat to the privacy and security of protected health information (PHI) in the healthcare sector.
These statistics underscore the importance of providers ensuring that their HIPAA programs are in full compliance with the law. OCR notes the significance of entities ensuring they have sufficient plans in place to: (1) identify security incidents; (2) respond to security incidents; (3) mitigate harmful effects of security incidents; and (4) document security incidents and their outcomes in compliance with the HIPAA Security Rules. The Newsletter provides helpful summaries of key items to keep in mind when planning to address each of these key tasks.
Moreover, the OCR underscores the importance of forming a security incident response team prior to the identification of a potential cybersecurity incident or breach. Having a trained and organized team is critical to ensure that when an incident does occur, as is almost certain in any organization, the team is prepared to take action with an appropriate and timely response.
When forming a security incident response team, factors that should be considered in identifying a well-rounded group include sufficient expertise, those with sufficient lines of communication to key individuals, ensuring key internal groups are represented (i.e., management, IT, legal, public affairs, etc.), and identifying key services that the team will need to provide as part of their duties.
The value of a well-prepared security incident response protocol is best summed up in the Newsletter’s conclusion, which states, “The policies and procedures regulated entities create to prepare for and respond to security incidents can pay dividends in the long run with faster recovery times and reduced compromises of ePHI. A well thought-out, well-tested security incident response plan is integral to ensuring the confidentiality, integrity, and availability of a regulated entity’s ePHI.”
With the pandemic, the struggling economy, and so many other issues impacting providers and consuming their daily attention, it is easy to become complacent and/or overlook the constant threats that cyber-attacks pose to the healthcare sector. The OCR’s Newsletter serves as a key reminder of that threat and provides a helpful overview of key areas for providers to review in assessing the sufficiency of their respective HIPAA programs.