OCR Director Urges Healthcare Providers To Strengthen Cybersecurity

By: Jay Brown
April 22, 2022

Cyberattacks and IT incidents have risen sharply in 2021, and if the first few months of 2022 are any indication, cybercriminals are becoming bolder and far more dangerous. Just this past January, hackers infiltrated Broward Health’s network via a third-party provider to steal information from over 1.35 million patients

In response to the increase in the scope and severity of cybercrime, Lisa Pino, Director of the Office for Civil Rights released a statement this past February indicating that she is making cybersecurity and patient privacy one of her top priorities.


What Is the Office for Civil Rights?

The Office for Civil Rights (OCR) falls under the jurisdiction of the U.S. Department of Health and Human Services and is tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA), the Patient Safety Act and Rule, as well as Privacy, Security, and Breach Notification Rules.

OCR Recommendations

While many healthcare organizations have concentrated their efforts on safeguarding patient data, Pino also recommended that healthcare organizations step up their cybersecurity programs and procedures enterprise-wide, with a special focus on risk analysis and risk management, information system activity review, audit controls, security awareness and training, and authentication. Pino’s statement also offered the following tips:

  • Maintain offline, encrypted backups of data
  • Regularly test backups
  • Conduct regular scans to identify and address vulnerabilities
  • Quickly patch and update software and operating systems
  •  Offer employee training on phishing and other common IT attacks

What Happens if You Fail To Comply With HIPAA?

The OCR has been cracking down on HIPAA violations as part of its mission to safeguard patient data. Regardless of whether a violation is deliberate or accidental, the penalties can be severe, including stiff fines and jail time, depending on the circumstances of the violation.  

Of course, it’s easy to focus on penalties when discussing HIPAA. However, providers stand to lose much more than money if there is a data breach — they could also lose patient trust. Patients who don’t believe their data is secure may withhold vital information from their health care provider, which may, in turn, affect their quality of care. 

Is Your Organization Regulated by HIPAA?

Most organization’s reading this will already know if HIPAA applies to them, but for those that don’t there are two main types of organizations subject to HIPAA: Covered Entities and their Business Associates.

Covered Entities are defined as healthcare providers, health plans, and healthcare clearinghouses that electronically transmit protected health information (ePHI). Healthcare providers under this definition include hospitals, medical centers, clinics, physicians, chiropractors, psychologists, dentists, pharmacies, and nursing homes. 

Business associates are much more broad, and can be thought of as the downstream contractors and vendors of Covered Entities. While the first group’s requirements are explicitly identified in law, business associates are bound to protecting ePHI through the use of contracts called Business Associate Agreements (BAAs). If you are a contractor or subcontractor for a covered entity that requires access to protected health information, this is you.

BAAs are so important, in fact, that in 2016 North Memorial Health Care of Minnesota settled a case with the OCR for a hefty $1.55 million dollars for the theft of a contractor’s unencrypted laptop. The lack of a BAA, in addition to other factors such as a failure to conduct an appropriate risk analysis played heavily into the fine.  

Where To Start Your Cybersecurity Journey?

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Center for Internet Security (CIS) provide best practices to safeguard critical data and infrastructure, and are frequently updated to counter evolving cybersecurity threats. Marco’s cybersecurity recommendations are based on these best practices; if you’d like to assess your organization’s existing cybersecurity programs and practices, we’ve designed a cybersecurity checklist to give you valuable insight into any areas of vulnerability.

If you do identify any potential weaknesses in your organization’s security, the time to act is now…before an incident occurs. However, monitoring cybersecurity can be a very stressful and time-consuming task for most internal IT departments, especially if they’re still adjusting to the challenges of hybrid and remote workplaces.

Marco’s world-class cybersecurity experts have the time and resources to monitor current threats and develop effective strategies to counter them, and are happy to take on maintaining your organization’s cybersecurity.

Talk to a Security Specialist

Topics: Security