HHS OCR director is encouraging healthcare entities to strengthen their cyber posture and review risk management policies, which will be a key HIPAA enforcement effort of the agency. (Photo by Alex Wong/Getty Images)

Office for Civil Rights Director Lisa Pino is urging all healthcare delivery organizations and business associates to prioritize cybersecurity, risk management and patient privacy, a key concern for the Department of Health and Human Services.

Pino issued a call to action for the healthcare sector in a blog post, providing a first-time glimpse into the agency’s focus. As recently noted by former OCR Director Roger Severino, his team concentrated its efforts on the Health Insurance Portability and Accountability Act Right of Access standard, issuing more than two dozen actions over the course of his tenure.

In light of the pandemic, the current administration had yet to provide insights into its potential enforcement focus outside of its ongoing info blocking and interoperability efforts.

A new HHS blog reveals that Pino intends to lead HHS by enforcing HIPAA, in a direct response to the spike in 2021 cyber, hacking, and IT incidents across the government, corporations, supply chains and healthcare.

Pino was previously the senior counsel to the secretary of the Department of Homeland Security during one of the largest federal hacks in 2015, which impacted 4 million credentials and 22 million surrogate profiles. She intends to use this experience to drive OCR’s enforcement, following a “turbulent” year of cybercriminals taking advantage of provider organizations.

Reports of network outages, care diversions and appointment cancellations “underscore why it is so important for health care to be vigilant in their approach to cybersecurity,” said Pino. “With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022.”

Regulated entities must improve compliance with the HIPAA Security Rule standards, especially around risk analysis and risk management implementation specifications, audit controls, activity review, security awareness, training and authentication concerns. These compliance areas were all targeted in 2020 OCR breach investigations.

Healthcare providers are encouraged to review risk management strategies and ensure risk analyses cover more than electronic health record systems, while being “comprehensive in scope.”

“I cannot underscore enough the importance of enterprise-wide risk analysis,” said Pino. “If you haven’t looked at your risk management policies and procedures recently to prevent or mitigate these concerns, now is the time to do so… We owe it to our patients, and industry, to improve our cybersecurity posture in 2022 so that health information is private and secure.”

Entities should fully understand where all electronic patient health information is located within the enterprise network, including software, connected devices, legacy platforms, and other devices. Recommended best practices include offline, encrypted data backups, routine vulnerability scanning, regular patching, and employee training.

Notably, OCR previously shared multiple risk management tools, including one for risk assessments, along with guidance on cybersecurity and risk analysis.