OCR’s Notice of Proposed Rulemaking

OCR’s Notice of Proposed Rulemaking

Wondering about the status of OCR’s Notice of Proposed Rulemaking? OCR announced the proposed rulemaking in December 2020. Although the proposal was not technically subject to the “regulatory freeze” by the Biden administration, it was effectively delayed because OCR extended the public comment period until May 2021.

Read more

OCR’s NPRM to modify HIPAA

On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals’ engagement in their healthcare, remove barriers to coordinated care, and decrease regulatory burdens on the healthcare industry, while continuing to protect individuals’ health information privacy interests.

OCR developed many of the proposals in the NPRM in response to public comments received in response to its 2018 Request for Information (RFI) on Modifying the HIPAA Rules to Improve Coordinated Care.

Read more: Understanding and implementing HIPAA rules

The NPRM proposed changes to the Privacy Rule include proposals to:

  • Strengthen individuals’ rights to access their own health information, including electronic information.
  • Improve information sharing for care coordination and case management for individuals.
  • Facilitate family and caregiver involvement in the care of individuals experiencing emergencies or health crises.
  • Enhance flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.
  • Reduce administrative burdens on HIPAA covered healthcare providers and health plans.

The estimated total cost saving from this proposed regulatory reform is $3.2 billion over five years.

Read more: HIPAA Compliant Email: The Definitive Guide [2023 update]

Wondering about the status of OCR’s Notice of Proposed Rulemaking?

On January 21, 2021, the NPRM for the proposed HIPAA privacy rule changes was published in the Federal Register. The deadline for submitting comments on the 357-page proposal was March 22, 2021. Almost everyone interacting with healthcare systems will be affected by the proposed changes to the HIPAA Privacy Rule. In light of the potential impact of the proposed HIPAA changes, the deadline for submitting comments was extended to May 6, 2021. OCR has not yet provided a date for when the Final Rule will be issued, but it is likely to result in HIPAA changes in 2023, although they may not become enforceable until 2024.

Read more: OCR shares guidance on preventing common cyberattacks

A smiling person looking directly at the camera with the Paubox maze wrapped around him.

Paubox takes the stress out of HIPAA compliance and email

Paubox gives over 4,000 healthcare customers peace of mind by securing nearly 70,000,000 emails every month for providers and covered entities. Our technology is HITRUST CSF certified and rated 4.9/5.0 on G2. Trust the industry experts and start using email in your practice easily, securely and in compliance with HIPAA regulations.

White House to increase healthcare cybersecurity standards

The White House is rolling out new cybersecurity guidelines for healthcare and other critical infrastructure areas, according to public officials at a recent Washington Post event.

Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, explained that the U.S. has fallen behind on security standards in comparison to other countries. 

The goal of the new guidelines is to increase healthcare and critical infrastructure cybersecurity standards by ensuring minimum requirements are in place.

Keep reading to learn more about what’s to come and why this is important. Plus, find out how healthcare providers can strengthen protection against cyberattacks now with a secure email provider.

Read more

Key focus areas and strategies

Healthcare, water and communications sectors are critical areas of focus for raising cybersecurity standards. It’s hard to imagine not being able to access healthcare and water or losing the ability to communicate with each other. U.S. citizens’ safety is dependent on this core infrastructure.

A public-private partnership is planned as an ongoing effort to improve cybersecurity. This corresponds with Executive Order 14028 from May 2021, which promotes better communication between federal entities and private sector businesses.

At the Washington Post event, Neuberger noted the private sector manages a significant portion of the U.S. critical infrastructure. The importance of private group collaboration to mitigate the latest risks and create standards is crucial.

What this means for healthcare cybersecurity

The United States Department of Health and Human Services (HHS) has begun working with partners at hospitals to implement minimum healthcare cybersecurity guidelines. In addition, efforts to secure the industry on a broader scale are in place. 

These initiatives will reduce risks to the U.S. critical infrastructure as the threat landscape continues to evolve. 

Healthcare is targeted by ransomware attacks more often than any other critical infrastructure, according to the FBI’s 2021 Internet Crime Report. CommonSpirit Health, one of the nation’s largest health systems, is still suffering the effects of a recent incident.

Stacy O’Mara, Senior Director of Government Affairs at Mandiant, told HealthcareITSecurity that these ransomware attacks can be mitigated “if hospitals had a baseline to establish, maintain, and measure their cybersecurity hygiene and level of preparedness.”

Be proactive with Paubox 

Email is a top threat vector for ransomware and other cyberattacks. Providers can proactively boost healthcare cybersecurity measures by making secure email a top priority. That’s where a HIPAA compliant email service comes in. 

Convenient and easy HIPAA compliance and email security

Paubox email solutions conveniently integrate with your current email platform, such as Google Workspace, Microsoft 365 or Paubox Email Suite. You can send HIPAA compliant email by default and automatically encrypt every outbound message. This means you don’t have to spend time deciding which emails to encrypt. And your patients receive your messages right in their inbox—no additional passwords or portals necessary. 

Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools to help block the cyberattacks plaguing healthcare.

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect feature quickly intercepts display name spoofing attempts.

A smiling person looking directly at the camera with the Paubox maze wrapped around him.

Paubox takes the stress out of HIPAA compliance and email

Paubox gives over 4,000 healthcare customers peace of mind by securing nearly 70,000,000 emails every month for providers and covered entities. Our technology is HITRUST CSF certified and rated 4.9/5.0 on G2. Trust the industry experts and start using email in your practice easily, securely and in compliance with HIPAA regulations.

The largest medical cyberattack in U.S. history?

The largest medical cyberattack in U.S. history may have occurred last week. CommonSpirit Health is suffering at the hands of a not-yet-identified ransomware group. The number of medical records affected could be as high as 20 million.

Read on to learn more, including why healthcare is under attack and the steps to take if your medical record is leaked.

The largest medical cyberattack in US history?

CommonSpirit Health is the nation’s fourth-largest hospital system with 142 hospitals in 21 states.

CommonSpirit Health’s Statement

Over the course of this past week, we have been managing a response to a cyberattack that has impacted some of our facilities. Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created. 

As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care. 

Our facilities are following existing protocols for system outages, which include taking certain systems offline, such as electronic health records. 

In addition, we are taking steps to mitigate the disruption and maintain continuity of care. 

To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement. 

We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process.  

Systems serving Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident. For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible.  

Central to our decision-making has been and will continue to be our ability to carry out our mission in a manner that is safe and effective to those we serve. At CommonSpirit Health, we are dedicated to meeting the needs of the communities we serve and are guided by our core set of values, which include integrity, excellence, and collaboration. We are grateful to our staff and  physicians who are doing everything possible to mitigate the impact to our patients and ensure continuity of care.

The CommonSpirit ransomware attack impact area

Subsidiaries of CommonSpirit affected by the attack include CHI Health facilities in Nebraska and Tennessee, MercyOne Des Moines Medical Center, Houston-based St. Luke’s Health and Michigan-based Trinity Health System. As stated above, Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident.

5 reasons why healthcare is a target for ransomware

Healthcare organizations are vulnerable to cyberattacks, even more so than other industries. The reasons why advanced persistent threat (APT) groups actively target covered entities, such as healthcare providers, pharmaceutical companies, and medical research organizations, likely include the following:

  1. Medical records are valuable on the black market and fetch up to $1,000 per record.
  2. Healthcare may be more likely to pay ransoms to get data back because lives hang in the balance.
  3. The attack surface is excessive and often left vulnerable.
  4. Untrained or overworked staff are prone to make errors.
  5. Lax security: A healthcare organization may view cybersecurity as an expense, despite the fact that that expense is small compared to what the organization could lose in the event of a data breach.

Read more: Why is healthcare a juicy target for cybercrime?

How do ransomware attacks happen?

Phishing emails are a common method of delivering ransomware attacks. An attachment is sent in an email as a link that the victim believes is trustworthy. When the victim clicks on that link, the malware in the file begins to download.

Upon entering a system, the malware begins encrypting the victim’s data. The files are then encrypted with an extension which makes them inaccessible. Once this is done, the files cannot be decrypted without a key known only to the attacker. Finally, a message will be displayed to the victim, explaining that the victim’s files are inaccessible and can only be reaccessed by paying a ransom to the attackers.

Read more: What is ransomware and how to protect against it?

Are foreign governments targeting the U.S. healthcare system?

Anne Neuberger, U.S. Deputy National Security Advisor, stressed the growing threat of foreign cyberattacks, citing U.S. government reports that identify specific “preparatory activity” targeting U.S. companies and critical infrastructure.

Further, the U.S. Department of Justice confirms that a North Korean regime-backed programmer is charged with conspiracy and responsible for the destructive Global WannaCry 2.0 ransomware attacks.

“Security needs to be top of mind for every company. Email security is the number one cause of breaches,” Paubox customer Eli Golden, Director of IT at The Jellyvision Lab, explains. “Attackers are getting smarter, and while we train our staff thoroughly with simulated attacks and live sessions, it’s best to have as much protection as possible.”

Read more: The White House warns against possible Russian cyberattacks

Healthcare executives rank ransomware as the #1 threat

A recent survey of 132 healthcare executives found that ransomware was the number one cybersecurity threat – more than data breaches or insider threats – according to the Health Information Sharing and Analysis Center, a nonprofit global cyberthreat forum for the healthcare industry.

Read more: The risks are too high for healthcare leaders not to understand Zero Trust

Take these 7 steps if your medical record is breached

  • File a police report
  • File a report with the FTC
  • Inform your insurer
  • Get copies of your medical record
  • Notify the three credit bureaus
  • Ask for corrections
  • Use strong passwords and 2FA or MFA on your accounts
Steps to take if your medical record is breached
Source: IDStrong

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST-CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are effortlessly easy to implement and use.

In fact, Paubox is securing nearly 70 million HIPAA compliant emails each month for more than 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data and organization HIPAA compliant and secure.

OCR struggles to keep up with rising ransomware cases

OCR stuggles to keep up with rising ransomware cases

According to a recent update from Politico, the Department of Health and Human Services’ Office for Civil Rights (OCR) is facing an overflowing caseload of ransomware incidents and other healthcare cybersecurity threats.  

Melanie Fontes Rainer, OCR acting director, states that investigators are “under incredible resource constraints and incredibly overworked.”

Keep reading to learn more about OCR’s challenges and proposed next steps. Plus, find out how HIPAA compliant email can help covered entities stay one step ahead.

Read more

Why the OCR budget matters to healthcare

The black market values protected health information (PHI) more than other types of personal information. That’s why cyberattacks are common in the healthcare industry.

Ransomware strikes these organizations especially hard since disruptions in care can put patients’ lives in danger. Therefore, they are more likely to comply with ransom demands.

As this threat grows, the OCR cannot provide the support needed to assist healthcare organizations. This is primarily due to inadequate funding and resources provided by Congress.

Because the OCR has a limited budget, it has a smaller investigation team than many local police departments. Consequently, investigators must handle more than 100 cases simultaneously.

Possible solutions on the horizon

In order to address this concern, the Biden administration has requested a 60 percent budget increase in 2023. As a result, the OCR would be able to hire 37 new investigators.

In addition to balancing the agency’s workload, additional resources will give the agency more opportunities to provide guidance.

Additionally, OCR officials believe implementing higher fines will boost enforcement and encourage healthcare organizations to comply with HIPAA requirements.

Healthcare cybersecurity advocates point to other solutions to reduce risks. Investing in better defense systems and workforce development is part of this strategy.

AHA‘s national adviser for cybersecurity and risk, John Riggi, has called for federal support to train staff to improve security. And Intermountain Healthcare‘s chief information security officer urges the Centers for Medicare & Medicaid Services to develop payment models that directly fund cybersecurity programs.

Secured email is secured healthcare

Covered entities can avoid falling victim to ransomware and other security threats by putting the right protections in place from the start. And with email serving as a leading threat vector for cybercrime, a stronger email security strategy is a must. That’s where a HIPAA compliant email provider comes in. 

Designed to integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules.

This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary. 

In addition to healthcare email encryption, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block ransomware and other attacks from even reaching the inbox in the first place.

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are designed to be effortlessly easy to implement and use.

In fact, Paubox is securing 70,000,000 HIPAA compliant emails each month for over 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data, organization and patients safe.

Shrinking Your Attack Surface

[FREE WHITEPAPER]

Shrinking Your Attack Surface

When it comes to defending your hospital or health system from cyberattack, here’s a mantra to keep in mind: you can’t fight what you can’t see.

Mapping your organization’s attack surface is a critical first step toward reducing your vulnerability—before your network is compromised.

Cover of whitepaper "Shrinking your attack surface"; cover image shows a healthcare professional close up using a smartphone.

What we cover in the whitepaper

By the end of this paper, you will:

  • Learn what an attack surface is and how to mitigate risk associated with it
  • Understand why healthcare continues to be targeted by ransomware attacks
  • Discover new ways to shrink your attack surface
  • Read a real-life Paubox case study about how our HIPAA compliant products can help your organization

North Korea is actively using ransomware to target healthcare

Female and male tech workers at computers wearing professional clothes with headsets on and on a phone, with female boss over their shoulders directing them on what to do on their monitors

CISA, the FBI, Department of Treasury, and Infrastructure Security Agency released a joint Cybersecurity Advisory yesterday to alert the public that North Korea is actively using ransomware to target healthcare.

In an ideal world, we would never have to issue another threat alert. But cyber actors are putting a massive strain on the health, well-being, and finances of U.S. citizens and private sectors. Our mission at Paubox is to ensure that healthcare organizations stay secure and HIPAA compliant through the most significant communication channel today: email. 

Let us help you with the heavy lifting of email cybersecurity, so you can focus on what you do best: taking care of people. Find out how.

Continue reading “North Korea is actively using ransomware to target healthcare”

The Strengthening American Cybersecurity Act

American Flag waving with binary on it and the words, \"Hacker USA\" in red

In March 2022, the U.S. Senate passed the Strengthening American Cybersecurity Act. Authored by U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), the act joins several other bills that combat cyberattacks in bi-partisan teamwork to help protect the U.S.

Data breaches, especially against critical infrastructure like healthcare are on the rise, which is why regulations are as well. Before, healthcare organizations only had to demonstrate compliance under HIPAA, the Health Insurance Portability and Accountability Act of 1996. New legislation like the Strengthening American Cybersecurity Act adds further protocols to help covered entities and patients stay safe. Something useful to healthcare organizations tasked with patient care and safeguarding patients’ protected health information (PHI).

Continue reading “The Strengthening American Cybersecurity Act”

Why are designated record sets important to PHI?

Hands wearing business suit holding iPad showing a Patient Medical History form, in an office with a glass of water on the table

Designated record sets are an important part of PHI.  The HIPAA Privacy Rule guarantees the rights of individuals to see their protected health information (PHI) stored in designated record sets. In addition, the Department of Health and Human Services determined that patients have a Right of Access to their PHI within a designated record set. Therefore, patients can get copies of their PHI from covered entities and their business associates maintaining patient PHI under this right.

Continue reading “Why are designated record sets important to PHI?”

OCR shares guidance on preventing common cyberattacks

Secure lock shown as a target in crosshairs

OCR shares guidance on preventing common cyberattacks in its latest newsletter. The Department of Health and Human Services’ Office for Civil Rights (OCR) released guidelines to help prevent common cyberattacks. The OCR Quarter 1 Newsletter outlines necessary steps covered entities can take to keep your organization’s email and data safe.

Many of us in the IT community are noticing the numerous cyberattack warnings because of the situation in Ukraine. Read to learn recommended ways to lower your risk and how HIPAA compliant email keeps you one step ahead.

Continue reading “OCR shares guidance on preventing common cyberattacks”