OCR Director Urges Healthcare to Prioritize Cybersecurity This Year

March 01, 2022 - Office for Civil Rights (OCR) director Lisa J. Pino urged healthcare organizations to prioritize cybersecurity in 2022 in a recent blog post on HHS’s website. Healthcare data breaches are still occurring on an almost daily basis.

HHS appointed Pino, a former senior executive service official at the US Department of Homeland Security (DHS) and former executive deputy commissioner of the New York State Department of Health, as the OCR’s new director in September 2021.

With an extensive background in cyber breach mitigation efforts, experts predicted that the new leadership would bring new focus areas for OCR, including additional data breach management guidance and HIPAA enforcement actions.

The recent blog post emphasized that “prioritizing cybersecurity and patient privacy is of the utmost concern” to Pino.

“Cyberattacks grabbed headlines throughout 2021 as hacking and IT incidents affected government agencies, major companies, and even supply chains for essential goods, like gasoline,” the blog post stated. 

“For healthcare, this year was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the Covid-19 pandemic.  More than one health care provider was forced to cancel surgeries, radiology exams, and other services, because their systems, software, and/or networks had been disabled.”

The post also referenced the Log4j vulnerabilities that tested the cybersecurity of organizations across all sectors at the end of 2021. No serious attacks relating to Log4j have been reported, but the vulnerabilities further emphasized the need to remain vigilant against cyberattacks.

“All too often, we see that risk analyses only cover the electronic health record.  I cannot underscore enough the importance of enterprise-wide risk analysis.  Risk management strategies need to be comprehensive in scope,” the blog post continued. 

“You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”

Pino recommended that healthcare organizations maintain offline, encrypted data backups and conduct scans to address vulnerabilities and limit the attack surface and scope. Employee education and consistent patching are also crucial steps to ensuring cyber resilience.

“We owe it to our patients, and industry, to improve our cybersecurity posture in 2022 so that health information is private and secure,” the post concluded.

HIPAA-covered entities and their business associates must implement technical, physical, and administrative safeguards to implement technical, physical, and administrative safeguards to comply with HIPAA. But the recent increase in cyberattacks may mean that organizations will have to invest more time, money, and energy toward improving their cybersecurity posture.