As the Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), I am proud of my team’s work towards increasing cybersecurity awareness last month, and in fact, every month. OCR enforces the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, and Enforcement Rules to protect individuals’ health information private and secure.
To keep individuals’ protected health information safe, an organization must have strong cybersecurity measures. When a HIPAA regulated entity understands and has good cybersecurity practices in place, this lowers the risk of protected health information becoming compromised. To promote these good practices, OCR offers resources to the public and covered entities that address trending cybersecurity topics. Although strong cybersecurity habits should be year-round, OCR celebrated October’s Cybersecurity Awareness Month with gusto in the following ways:
- Resource Documents on Telehealth: OCR issued two resource documents to promote cybersecurity in telehealth for different audiences.
- The first is tailored for health care providers on “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth”. This resource can be used by health care providers to explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications (“apps”) for telehealth. The information in this resource expands on the Department’s existing resources for health care providers on preparing patients for telehealth with a focus on privacy and security.
- The second telehealth resource is tailored for patients, “Telehealth Privacy and Security Tips for Patients”. It provides real-life tips to the public about protecting and securing their health information when accessing telehealth.
- Newsletter on Sanctions Policies: OCR frequently publishes Cybersecurity Newsletters to keep the public informed of the most up-to-date cybersecurity topics. In October, OCR put out a newsletter on “How Sanction Policies Can Support HIPAA Compliance”. An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. The newsletter relayed what the functions, the content, and execution of what such a policy might look like.
- Videos on Defending Against Cyber-Attacks: OCR released two videos, in English and Spanish, on the HIPAA Security Rule and how it can help regulated entities defend against cyber-attacks. The videos discuss real world cyber-attack trends, based on OCR’s experience with its breach reports and enforcement, along with ways to detect and mitigate common cyber-attacks.
- Settlements: OCR announced its first ever settlement concerning a ransomware attack. Ransomware is a type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. This settlement with a business associate highlights how ransomware attacks are increasingly common and targeting the health care system.
- Webinar on Risk Analysis: To cap off Cybersecurity Awareness Month, OCR hosted a webinar titled “The HIPAA Security Rule Risk Analysis Requirement”, to an audience of over 4,000 registrants. A risk analysis is a key and necessary step for effective cybersecurity and HIPAA Security Rule compliance. This webinar discussed what is required to conduct an accurate and thorough risk assessment to protected health information.
- Cybersecurity Training: Throughout October, OCR’s eight regional offices conducted cybersecurity training for large hospitals, small medical providers, business associates, state health departments, and state social service agencies to assist them in complying with their cybersecurity obligations in the face of changing hostile threats.
We encourage your efforts to keep your organization in compliance with HIPAA, and part of that effort is having strong cybersecurity measures. Stay tuned for future OCR announcements in support of HIPAA and cybersecurity, and please make use of our free cybersecurity resources.
- Security Risk Assessment (SRA) Tool
- FACTSHEET: Ransomware and HIPAA
- Guidance on Risk Analysis Requirements under the HIPAA Security Rule
- Cybersecurity Newsletters Archive
- Cyber-Attack Response Checklist
- Cyber-Attack Quick Response Infographic
- Recognized Security Practices Video
- Online Tracking Technologies Bulletin
- Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet
- Resources for Mobile Health App Developers