As Director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), I am proud of my team’s work to raise awareness about cybersecurity last month and, indeed, everyone months. OCR enforces the privacy, security, and compliance rules of the Health Insurance Portability and Accountability Act (HIPAA) to protect people’s health information privately and securely.
To keep people’s protected health information safe, an organization must have strong cybersecurity measures in place. When a HIPAA-regulated entity understands and has good cybersecurity practices in place, it reduces the risk of protected health information being compromised. To promote these best practices, OCR offers resources to the public and covered entities that address current cybersecurity issues. While strong cybersecurity habits should exist year-round, OCR enthusiastically celebrated October Cybersecurity Awareness Month in the following ways:
- Telehealth Resource Documents: OCR published two resource documents to promote cybersecurity in telehealth for different audiences.
- Sanctions Policy Bulletin: OCR frequently publishes cybersecurity bulletins to keep the public informed on the most up-to-date cybersecurity topics. In October, OCR published a bulletin on “How Sanctions Policies Can Support HIPAA Compliance.” An organization’s sanctions policies can be an important tool to support accountability and improve cybersecurity and data protection. The bulletin conveyed what the functions, content and execution of said policy would be.
- Videos on defense against cyber attacks: The OCR published two videos, in English and Spanish, about the HIPAA security rule and how it can help regulated entities defend against cyberattacks. The videos discuss real-world cyberattack trends, drawing on OCR’s experience with its breach reporting and enforcement, along with ways to detect and mitigate common cyberattacks.
- Settlements: OCR announced its first settlement over a ransomware attack. Ransomware is a type of malware designed to deny access to a user’s data, typically by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. This deal with a business partner highlights how ransomware attacks are becoming more common and targeting the healthcare system.
- Webinar on Risk Analysis: To cap off Cybersecurity Awareness Month, OCR hosted a webinar titled “The HIPAA Security Rule Risk Analysis Requirement”, before an audience of more than 4,000 registered. A risk analysis is a key and necessary step for effective cybersecurity and compliance with HIPAA security regulations. This webinar discussed what is required to conduct an accurate and thorough risk assessment of protected health information.
- Cybersecurity training: Throughout October, OCR’s eight regional offices conducted cybersecurity training for large hospitals, small medical providers, business partners, state health departments, and state social services agencies to help them meet their cybersecurity obligations against to changing hostile threats.
We encourage your efforts to keep your organization HIPAA compliant, and part of that effort is having strong cybersecurity measures in place. Stay tuned for future OCR announcements in support of HIPAA and cybersecurity, and use our free cybersecurity resources.
Additional resources:
