OCR Encourages HIPAA Entities to Strengthen Cybersecurity Posture

OCR Encourages HIPAA Entities to Strengthen Cybersecurity Posture

Published: April 14th, 2022

Recently, the Director of the HHS’ Office for Civil Rights, Lisa J. Pino, issued a statement encouraging HIPAA covered entities and business associates to strengthen their cybersecurity posture this year in light of the increasing rates of cyberattacks across the healthcare industry.

The last year was particularly damaging for healthcare organizations due to hackers taking advantage of the COVID-19 pandemic. In fact, the record levels of breaches had a devastating impact on patient care, resulting in cancelled surgeries, radiology exams, and other critical services. With over 45 million records breached in 2021, the numbers underscore the importance of vigilance in the approach to cybersecurity.

OCR’s investigations uncovered many cases of noncompliance with the risk analysis and risk management requirements, and they suggested HIPAA-regulated entities take steps to improve compliance with the standards of the HIPAA Security Rule, specifically in the areas below:

  • Risk analysis
  • Risk management
  • Information system activity review
  • Audit controls
  • Security awareness and training
  • Authentication

Pino encouraged healthcare entities and business associates to take prompt action when new risks to the confidentiality and integrity of protected health information are identified. Some best practices and recommendations include:

  • Reviewing risk management policies and procedures
  • Ensuring data are regularly backed up (and regularly test backups)
  • Conducting regular scans to identify and address vulnerabilities
  • Regularly patching and updating software and operating systems
  • Training the workforce on how to recognize phishing scams and other common attacks, and practice good cyber hygiene.

Additional guidance and resources provided by OCR are below:

Ransomware:  https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

Cybersecurity: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

Risk Analysis: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

HHS Security Risk Assessment Tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool



Want to know more about HIPAA compliance? Ask the experts at MedSafe.

If you have questions about HIPAA compliance, contact the experts at MedSafe. MedSafe is the nation's leading one-stop resource for outsourced accreditation and healthcare compliance solutions. For over 20 years, we have been providing peace of mind to hospital groups, private practices, and their business associates. Our suite of onsite and online compliance services, including OSHA, HIPAA, Corporate Compliance and Code Auditing will equip your practice with the necessary tools and skills to achieve and maintain regulatory & billing compliance. MedSafe takes a hands-on approach and works directly with your team to uncover issues and define suitable solutions.


Phone: (888) MED-SAFE