- As National Cybersecurity Awareness Month draws to a close, OCR is recommending healthcare cybersecurity best practices to prevent cyberattacks from succeeding and lessening their impact if they do succeed.
“Because ePHI identifies individuals and includes information regarding an individual’s health, treatment, or treatment payment information, it presents a tempting target for bad actors – especially identity thieves. On the black market, ePHI is often more valuable than other types of personal data because it can be used to steal identities and commit healthcare fraud,” warned OCR in its October 2018 Cybersecurity Newsletter.
First, OCR recommends that organizations consider deploying data encryption to prevent an unauthorized user from gaining access to sensitive data, helping to reduce the risk of ePHI compromise.
“HIPAA covered entities and business associates are required to assess whether encryption is a reasonable and appropriate safeguard as a means of protecting ePHI at rest (i.e., ePHI that is stored such as on a computer’s hard drive or on electronic media) and ePHI that is electronically transmitted,” OCR related.
Encryption is more than just a good-to-have cybersecurity measure. It could help organizations avoid hefty HIPAA fines. For example, OCR levied $4.3 million in fines against Texas-based Anderson Cancer Center (MD Anderson) for failing to encrypt its inventory of devices that processed and stored ePHI.
This resulted in the exposure of ePHI on more than 33,500 individuals when an unencrypted laptop was stolen and two thumb drives were lost, according to OCR. MD Anderson challenged the fines, but an HHS Administrative Law Judge upheld them.
Second, OCR recommends that employees be trained to recognize and avoid phishing attacks. Phishing has become the preferred method for hackers to get access to healthcare organizations and steal valuable medical data and/or deploy ransomware.
“Phishing remains one of the most common and effective social engineering tactics for stealing user credentials and other sensitive information. Malicious actors send deceptive emails to users, enticing them to disclose login credentials or click links that may install malware,” OCR observed.
OCR stressed that the HIPAA Security Rule mandates that both covered entities and business associates conduct regular security awareness training for employees and managers.
Third, OCR supports implementing audit logs of network and system activity.
“Audit logs are an important security tool that allows organizations to detect suspicious activities as they are occurring and can be used to reconstruct events that happened in the past. In order to be effective, the information contained in logs should be reviewed on a regular basis,” it advised.
OCR noted that the HIPAA Security Rule requires healthcare organizations to implement audit controls, that is, safeguards to record and examine activity on IT systems that contain and use ePHI and to review records of IT system activity.
In fact, a class-action lawsuit against Allscripts cited its failure to have audit controls as one of the reasons that a ransomware attack succeeded in preventing around 1,500 customers from accessing its cloud EHR applications.
One of Allscripts’ customers, Surfside, filed the lawsuit in January of this year, arguing that it suffered economic damage and other harm from the interruption in Allscripts' services.
“Allscripts breached its duties by failing to implement, monitor, and audit the security of its data and systems, resulting in a ransomware attack that significantly impeded and/or prevented its clients’ ability to conduct business,” the class-action lawsuit stated. The failure to implement the necessary safeguards was a breach of contract, it added.
Fourth, OCR recommends that organizations property configure network devices and software. This will help reduce the attack surface for attackers and improve cyber defenses. Secure configuration of networks and software is essential to ensure that other cybersecurity measures, such as encryption, antivirus software, and audit logs, function effectively.
“The configuration of firewalls, workstations, routers, servers, and other components all play an important role in minimizing the chance of security incidents,” OCR concluded.