OCR Director Discusses HIPAA Enforcement
HIPAA enforcement is picking up again. A recent string of HIPAA settlements is intended to send a message that protecting patient privacy should be a top priority for healthcare organizations.
Roger Severino, director of the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA, gave an interview this week and discussed how healthcare organizations can protect themselves in the face of rising cyber crime. Noting there has been an uptick in hacking incidents causing breaches in healthcare, Severino said “Providers really need to take these threats seriously”, and the first step is a Risk Analysis.
His top four recommendations for protecting patient privacy:
- Risk Analysis so you can identify your own vulnerabilities before the hackers do
- System activity review and audit logs to give you visibility into your system – this helps identify outside hackers but also insider threats (the best anti-virus product won’t stop human nature; insider snooping and theft is real)
- Strong password policies, including multi-factor authentication, and appropriate access controls
- Business Associate Agreements with third party vendors
Patient Safety is at Risk
Director Severino also emphasized that while following HIPAA is essential for protecting patient privacy, it also is necessary to protect patient safety. HIPAA requires that patients have access to their own medical information, and OCR has a Right of Access Initiative to help enforce it. It can be a matter of life and death – patients need access to their own information to manage their own care, take the right medication and ask the right questions. But cybercrime, specifically ransomware, also puts patient safety at risk, because when a healthcare provider’s information system is locked down, critical patient care information can be lost or the facility may need to shut down leaving patients without care.
Ransomware is Presumed to be a Breach
When ransomware hits, you need to report it to the FBI, because it’s a federal crime. Under HIPAA Director Severino notes, it is also presumed to be a breach, and reportable to HHS. You cannot have confidence that the data is safe, and you cannot trust what the hackers tell you about whether it has been exfiltrated or sold. Paying ransom is not a guarantee that the data hasn’t been compromised. Only a very lengthy, detailed forensic analysis might reveal whether the data has been stolen, and those are not always conclusive. It must be reported while you investigate and determine whether patients and/or the media need to be notified.
OCR Priorities Today
Director Severino explained that HIPAA enforcement is picking up again now. When the COVID-19 pandemic hit early in the year, OCR turned its attention to help manage the crisis. They issued new guidance, including policies to encourage the use of telehealth. But now, as things have stabilized OCR is focused on protecting the privacy interests of the American public through continued enforcement of its Right of Access Initiative and its focus on hacking and ransomware.
“Despite the extraordinary difficulties of COVID-19 we can’t forget that health information privacy is the cornerstone of the safe and proper delivery of medicine. If people don’t have confidence that their records will be private and accessible they’ll be less likely to seek medical care to begin with, and this is ultimately what it is all about.”
Listen to Director Severino’s full interview with Marianne Kolbasuk McGee of HealthInfoSec here.
Vaccine Trials are Hit with Ransomware
There has been an exponential increase in ransomware during 2020. It’s hitting every sector globally, but healthcare has been particularly vulnerable due in part to the pandemic.
In early July we reported on a ransomware attack on the University of California San Francisco Medical School, which was working on a COVID-19 vaccine. This week the New York Times reported that ransomware hit IQVIA, the contract research organization helping manage AstraZeneca’s Covid-19 vaccine trial. Apparently Bristol Myers Squibb, the drugmaker leading a consortium of companies to develop a quick test for the virus was also hit. In the case of IQVIA, the problems were limited because they had backed up their data.
FBI Describes Internet Security Risks for Voters
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) want to help the public recognize and avoid spoofed election-related internet domains and email accounts just before the election November 3.
Spoofed domains and email accounts are used by foreign actors and cybercriminals and can easily be mistaken for legitimate websites or emails. These are used to spread false information; gather valid usernames, passwords, and email addresses; collect personally identifiable information; and spread malware, leading to further compromises and potential financial losses.
Spoofed domains are ones with slightly altered characteristics of legitimate domains. For example, it may have an alternate spelling of a word (“electon” instead of “election”), or it might use an alternative domain, such as a .com version of a legitimate .gov website. People might unknowingly visit spoofed domains while looking for information about the 2020 election.
Another tactic cyber criminals use include a seemingly legitimate email account to entice people into clicking on malicious files or links. A common one used is Amazon – the email looks like it comes from Amazon, but when you scroll over “Amazon” in the From: line of the email, you can see an unrecognizable email behind it, unaffiliated to Amazon. Delete it.
Be Proactive, Stay on Alert
The only way to fight back against cybercrime is to be proactive and take the necessary steps. HIPAA compliance is a blueprint for protection against cybersecurity risks.
Do a Risk Analysis and follow the Risk Management Plan that results from it. Remember OCR priorities about the right of access and prevention of hacking and ransomware.
Stay vigilant, be suspicious and ask questions if you don’t understand your responsibilities. You can start by asking us at The HIPAA E-Tool®.