HHS Office of Civil Rights Director urges healthcare organizations to prioritize cybersecurity this year

Featured image

Share this article

Secure lock and circuit board pattern

In a February 28, 2022, blog post, Lisa J. Pino, Director of the Office of Civil Rights (OCR) at the U. S. Department of Health and Human Services (HHS), expressed her grave concern about the ever-increasing number of cyberattacks on covered entities and business associates. Pino urged healthcare organizations to follow HIPAA Security Rule requirements and take immediate steps to mitigate the risk of cyberattacks.

SEE ALSO: HIPAA Compliant Email

According to OCR’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2020, the number of data breaches exposing protected health information (PHI) continues to rise. In 2020, data breaches that exposed more than 500 patients’ PHI per breach rose an astonishing 61 percent.

OCR Director recommends immediate risk analysis and mitigation

In her blog post, Pino stressed the urgency of risk analysis and risk mitigation, not just for the protection of electronic health records, but across the entire covered entity’s or business associate’s operation. This begins, Pino stated, with knowing where your patients’ electronic PHI (ePHI) is stored and used.

Pino also focused on cybersecurity best practices and offered tips and resources for healthcare organizations. These best practices include:

  • Scheduled backups that are encrypted and stored offline
  • Testing backups
  • Scanning devices for malware, viruses, and other vulnerabilities
  • Immediate installation of all software patches and updates
  • Regular, thorough employee security awareness training

The OCR’s 2020 Annual Report includes a Lessons Learned section that describes how underprepared many healthcare organizations are for cyberattacks. Threat actors know that healthcare organizations are sometimes lax in implementing the HIPAA Security Rule’s requirements and they don’t hesitate to exploit this vulnerability.

The HIPAA Security Rule and you

The HIPAA Security Rule requires, among other things, that covered entities and business associates conduct regular risk analyses, implement risk management procedures, review information system activity, implement audit controls for systems that store or use patients’ ePHI, provide security awareness training to employees, and properly authenticate the identity of anyone who asks for access to PHI.

However, OCR’s investigation of more than 67,000 data breaches in 2020 found that many healthcare organizations either do not follow the Security Rule properly or do not implement its some of its requirements at all.

Since OCR actively investigates breaches of unsecured PHI, a cyberattack could very well cost your organization twice—once to mitigate the effects of a cyberattack, and a second time via a fine from OCR.

Protect your inbox

HHS’s recent alert concerning the protection of EHRs includes email security recommendations such as implementing email attachment sandboxing and filtering URLs.

We at Paubox also strongly recommend implementing Zero Trust Email, which uses multi-factor authentication (MFA) and robust inbound security tools to check incoming emails and verify their authenticity. Zero Trust Email uses email AI to identify legitimate email messages before they hit your inbox.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Nancy Parode

Read more by Nancy Parode

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022