OCR Recommends 4 Best Practices for Healthcare Cybersecurity
The Office for Civil Rights (OCR) has recommended healthcare cybersecurity best practices to prevent cyberattacks from succeeding and lessening their impact if they do succeed, as reported by Fred Donovan of Health IT Security.
1) Encryption: OCR recommends that organizations consider enlisting data encryption to prevent unauthorized of access to sensitive data, helping to reduce the risk of ePHI compromise.
“HIPAA covered entities and business associates are required to assess whether encryption is a reasonable and appropriate safeguard as a means of protecting ePHI at rest (i.e., stored ePHI) and ePHI that is electronically transmitted,” OCR related.
Encryption could help organizations avoid hefty HIPAA fines. For example, OCR levied $4.3 million in fines against Texas-based Anderson Cancer Center (MD Anderson) for failing to encrypt its inventory of devices that processed and stored ePHI.
This resulted in the exposure of ePHI on more than 33,500 individuals when an unencrypted laptop was stolen and two thumb drives were lost, according to OCR. MD Anderson challenged the fines, but an HHS Administrative Law Judge upheld them.
2) Training: OCR recommends that employees be trained to recognize and avoid phishing attacks. Phishing has become the preferred method for hackers to get access to healthcare organizations and steal valuable medical data and/or deploy ransomware.
“Phishing remains one of the most common and effective social engineering tactics for stealing user credentials and other sensitive information. Malicious actors send deceptive emails to users, enticing them to disclose login credentials or click links that may install malware,” OCR observed.
OCR stressed that the HIPAA Security Rule mandates that both covered entities and business associates conduct regular security awareness training for employees and managers.
3) Audit Controls: OCR supports implementing audit logs of network and system activity. “Audit logs are an important security tool that allows organizations to detect suspicious activities as they are occurring and can be used to reconstruct events that happened in the past. In order to be effective, the information contained in logs should be reviewed on a regular basis,” it advised.
OCR noted that the HIPAA Security Rule requires healthcare organizations to implement audit controls, that is, safeguards to record and examine activity on IT systems that contain and use ePHI and to review records of IT system activity.
In fact, a class-action lawsuit against Allscripts cited its failure to have audit controls as one of the reasons that a ransomware attack succeeded in preventing around 1,500 customers from accessing its cloud EHR applications.
One of Allscripts’ customers, Surfside, filed the lawsuit in January of this year, arguing that it suffered economic damage and other harm from the interruption in Allscripts' services.
“Allscripts breached its duties by failing to implement, monitor, and audit the security of its data and systems, resulting in a ransomware attack that significantly impeded and/or prevented its clients’ ability to conduct business,” the class-action lawsuit stated. The failure to implement the necessary safeguards was a breach of contract, it added.
4) Secure Configuration: OCR recommends that organizations properly configure network devices and software. This will help reduce the attack surface for attackers and improve cyber defenses. Secure configuration of networks and software is essential to ensure that other cybersecurity measures, such as encryption, antivirus software, and audit logs, function effectively.
“The configuration of firewalls, workstations, routers, servers, and other components all play an important role in minimizing the chance of security incidents,” OCR concluded.
For help incorporating the above critical safeguards into your medical practice, contact HIPAAcraticRx.