OCR Releases Educational Video on HIPAA Security Rule

October 31, 2023 - The HHS Office for Civil Rights (OCR) released an educational video to help covered entities understand how the HIPAA Security Rule can help them defend against cyberattacks. The video was produced in recognition of National Cybersecurity Month.

Hosted by Nick Heesters, senior advisor for cybersecurity at OCR, the 43-minute video explores cyberattack trends gleaned from OCR breach reports and discusses how Security Rule compliance can help covered entities combat these threats.

The video displayed a pie chart showing that 77 percent of healthcare data breaches reported to HHS between January 1, 2023 and September 30, 2023 were attributed to hacking. This differs greatly from historical data – just 49 percent of the breaches reported to HHS between 2009 and 2022 were attributed to hacking.

“There has been a 239 percent increase in large breaches reported to OCR involving hacking from 2018 to 2022. For ransomware, it’s a 278 percent increase for the same timeframe,” Heesters noted. “This is the largest cybersecurity threat facing the healthcare industry and the protected health information it holds.”

The video went on to identify common attack vectors used against healthcare, such as phishing, unpatched vulnerabilities, and compromised accounts.

Even with these growing threats, the HIPAA Security Rule’s provisions can help covered entities mitigate risk via authentication and access controls, risk analyses, and security awareness and training. For example, when it comes to phishing, covered entities can greatly reduce risk by focusing on employee education.

“An educated workforce can be an effective first line of defense and an integral part of a HIPAA-regulated entity’s strategy to defend against phishing attacks,” Heesters stated. “The Security Rule requires HIPAA-regulated entities to implement a security awareness and training program for all members of its workforce, including management.”

Heesters stressed that an effective security awareness and training program must be an “ongoing, evolving process” and remain “flexible enough to educate workforce members of new and current cybersecurity threats.”

The video is the latest addition to the plethora of free guidance available to healthcare organizations navigating cyber threats. HHS and the Cybersecurity and Infrastructure Security Agency (CISA) recently collaborated on a healthcare cybersecurity toolkit, consisting of a variety of key resources for mitigating risk.

CISA and HHS released the toolkit ahead of a roundtable discussion between the two agencies, held on October 25, where representatives discussed how government and industry can work together to close cyber gaps.

The toolkit, which can be found on CISA’s website, consolidates industry and government resources such as CISA’s cyber hygiene services, HHS’s Health Industry Cybersecurity Practices (HICP), and HHS and the Health Sector Coordinating Council’s (HSCC) HPH Sector Cybersecurity Framework Implementation Guide.