OCR: HIPAA Security Rule Compliance Could Avert and Mitigate the Majority of Cyberattacks

Healthcare hacking incidents are continuously growing for a few years. Hacking/IT incidents increased by 45% between 2019 and 2020. In 2021, 66% of breaches involving unsecured electronic protected health information (ePHI) were due to hacking and also other IT incidents. A substantial percentage of those breaches might have been averted if HIPAA-regulated entities were completely HIPAA Security Rule compliant.

The Department of Health and Human Services’ Office for Civil Rights revealed in its March 2022 cybersecurity bulletin that following the HIPAA Security Rule will avoid or significantly mitigate many cyberattacks. A lot of cyberattacks on the healthcare sector are monetarily motivated and are performed to steal ePHI or encrypt patient records to avoid legitimate access. The preliminary access to healthcare networks is acquired by way of surefire methods for example phishing attacks and the exploitation of identified vulnerabilities and weak authentication standards, in place of exploiting formerly not known vulnerabilities.

Deterrence of Phishing

Based on Coveware’s Q2 2021 Quarterly Ransomware Report, about 42% of ransomware attacks in that time period had first network access by using phishing emails. Phishing attacks make an effort to deceive staff members into checking out a malicious web page and sharing their credentials or opening a malicious file and adding malware.

Anti-phishing solutions for instance spam filters and web filters are essential technical safety measures to avert phishing attacks. They keep emails from being transmitted from identified malicious domains, search attachments, and URLs, and prohibit access to recognized malicious web pages where malware is downloaded or credentials are gathered. These tools are crucial technical steps for securing the integrity, confidentiality, and availability of ePHI.

OCR informed HIPAA-regulated entities that under the Security Rule, regulated entities need to give all employees a security awareness and training system, consisting of management of staff and senior officers. A regulated entity’s training program ought to be a continuing, growing process and be adaptable enough to instruct personnel on new and present cybersecurity risks (e.g., ransomware, phishing) and how to behave.

The Security Rule furthermore has an addressable demand to send routine security reminders to the employees. OCR mentioned that phishing simulation emails are helpful forms of “safety reminders”. These exercises evaluate the efficiency of the training program and enable regulated entities to discover weak links and fix them. Those weak leaks can be staff members who have not totally known their training or gaps in the training program.

Sad to say, security training can not work if it is considered by workers as a problematic, “check-the-box” exercise made up of just self-paced slide presentations. Regulated entities must have innovative ways to keep the security training interesting and keep personnel active in comprehending their roles in securing ePHI.

Prohibition of Vulnerability Exploitation

A number of cyberattacks use earlier undiscovered vulnerabilities (zero-day attacks) nevertheless it is a lot more usual for hackers to manipulate identified vulnerabilities for which there are patches accessible or mitigations were made open to the public. Because of the inability to patch and update operating systems quickly, cyber actors are able to take advantage of these vulnerabilities.

The ongoing use of out-of-date, unsupported programs and operating systems (legacy systems) is prevalent in the healthcare market. Out of date, unsupported software and devices (legacy systems) ought to be upgraded or changed. In case an out of date, unsupported system could not be upgraded or substituted, extra safeguards must be enforced or current safeguards boosted to mitigate known vulnerabilities up to the time upgrade or substitution can happen (e.g., maximize access limits, remove or prohibit network access, turn off needless capabilities or services”

The HIPAA Security Rule calls for regulated entities to utilize a security management method to avoid, discover, contain, and resolve security violations. A risk analysis should be done and risks and vulnerabilities to ePHI need to be lessened to a reasonable and suitable level. The risk analysis and risk management process ought to distinguish and resolve technical and non-technical vulnerabilities.

To help address technical vulnerabilities, OCR proposes enrolling for notifications and bulletins from CISA, OCR, the HHS Health Sector Cybersecurity Coordination Center (HC3), and partaking in an information sharing and analysis center (ISAC). Vulnerability management must include routine vulnerability scans and regular penetration tests.

Get Rid of Weak Cybersecurity Measures

Cyber actors usually make use of poor authentication methods, like weak passwords and single-factor authentication. According to the 2020 Verizon Data Breach Investigations Report, more than 80% of breaches because of hacking involved exposed or brute-forced credentials.

The possibility of unauthorized access is bigger when end users access systems remotely, therefore supplemental authentication controls ought to be carried out, like multi-factor authentication for remote end-users.

Given that privileged accounts offer access to a greater selection of systems and information, steps must be taken to reinforce the protection of those accounts. To minimize the threat of unauthorized access to privileged accounts, the regulated entity may decide that a privileged access management (PAM) system is acceptable and right to employ. A PAM system is an option to safeguard, manage, manage, and examine access to and use of privileged accounts and/or capabilities for a firm’s infrastructure. A PAM solution allows institutions control and information into how their privileged accounts are employed in its environment and hence may help find and stop the wrong use of privileged accounts.

OCR instructs regulated entities that they need to routinely check the strength and performance of their cybersecurity procedures and enhance or add security controls to lessen risk as appropriate, and additionally do regular technical and nontechnical reviews of applied security measures in response to environmental or operational alterations having an effect on the safety of ePHI.