OCR Provides Tips for Fending Off Common Healthcare Cyberattacks

The Office for Civil Rights (OCR) issued its quarter one newsletter, containing tips for defending against some of the most common healthcare cyberattacks.

The newsletter stated that healthcare entities and business associates reported 45 percent more data breaches (impacting more than 500 individuals) to OCR in 2020 compared to 2019. More than 65 percent of reported 2020 healthcare data breaches were due to hacking or IT incidents.

Despite the uptick in healthcare data breaches, OCR suggested that most cyberattacks could be prevented if organizations implemented HIPAA Security Rule requirements to address common attack types, including phishing, exploitation of known vulnerabilities, and weak authentication protocols.

Phishing remains one of the most common and successful cyberattack methods. However, it is also relatively easy to prevent with the proper safeguards.

“All regulated entities’ workforce members should understand they have an important role in protecting the ePHI their organization holds from cyber-attacks. Part of that role involves being able to detect and take appropriate action if one encounters suspicious email,” the newsletter stated.  

“To ensure workforce members can take appropriate action, regulated entities should train their workforce members to recognize phishing attacks and implement a protocol on what to do when such attacks or suspected attacks occur (e.g., report suspicious emails to appropriate IT personnel).”

The HIPAA Security Rule requires covered entities to implement employee training programs and follow up on that training with regular security reminders across the workforce.

“An educated workforce can be an effective first line of defense and an integral part of a regulated entity’s strategy to defend, mitigate, and prevent cyber-attacks,” the newsletter continued.

“Unfortunately, security training can fail to be effective if it is viewed by workforce members as a burdensome, ‘check-the-box’ exercise consisting of little more than self-paced slide presentations. Regulated entities should develop innovative ways to keep the security trainings interesting and keep workforce members engaged in understanding their roles in protecting ePHI.”

Known vulnerabilities are also an extremely common and easy way for hackers to access networks. For example, hackers could easily exploit unpatched Log4j vulnerabilities to enable remote code execution (RCE).

The simplest way to avoid these exploits is to prioritize patching and to maintain strict cybersecurity standards. OCR recommended that organizations subscribe to alerts from the Cybersecurity and Infrastructure Security Agency (CISA) and the HHS Health Sector Cybersecurity Coordination Center (HC3).

“Although older applications or devices may no longer be supported with patches for new vulnerabilities, regulated entities should still take appropriate action if a newly discovered vulnerability affects an older application or device,” OCR explained.

“Regulated entities should upgrade or replace obsolete, unsupported applications and devices (legacy systems). However, if an obsolete, unsupported system cannot be upgraded or replaced, additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur (e.g., increase access restrictions, remove or restrict network access, disable unnecessary features or services).”

Weak cybersecurity practices naturally make healthcare organizations easy targets for hackers. In addition, organizations could face consequences for noncompliance. OCR recommended that organizations implement strong authentication practices and access controls. In addition, organizations should regularly examine the effectiveness of their cybersecurity programs.

“Although malicious attacks targeting the health care sector continue to increase, many of these attacks can be prevented or mitigated by fully implementing the Security Rule’s requirements,” OCR concluded. 

“Unfortunately, many regulated entities continue to underappreciate the risks and vulnerabilities of their actions or inaction (e.g., increased risk of remote access, unpatched or unsupported systems, not fully engaging workforce in cyber defense).”

OCR's director, Lisa J. Pino, also recently released a blog post urging the healthcare sector to prioritize cybersecurity in 2022.