The bulk of cyberattacks against the healthcare sector could be “prevented or substantially mitigated” by following the Health Insurance Portability and Accountability Act Security Rule, according to the Department of Health and Human Services Office for Civil Rights.
Hacking incidents reported to HHS increased by 45% from 2019 to 2020. While these attacks may be sophisticated or exploit system vulnerabilities, HIPAA requirements address some of the most common attack types, like phishing, vulnerability exploits, and weak authentication.
Reminding providers of the patient safety impacts brought on by these attacks, OCR urged covered entities and relevant business associates to review the security requirements and its newsletter detailing the preventative measures to defend against some of the most common, successful tactics leveraged by attackers to target the healthcare sector.
One of the most common attack vectors, phishing, accounted for approximately 42% of all ransomware exploits during the second half of 2021. As such, all employees who handle protected health information should understand their role in protecting patient data, including how to detect and report suspicious emails.
HIPAA requires healthcare entities to implement a security awareness and training program for its workforce. OCR reminded providers that the program should not be limited to an annual basis, but evolve to educate the workforce on new and current cyber threats.
“Management personnel should also participate, as senior executives may have greater access to ePHI and are often targeted in phishing email attacks,” according to OCR. The security rule also details an addressable provision for sending executive leaders and management periodic security reminders.
“Security training can fail to be effective if it is viewed by workforce members as a burdensome, ‘check-the-box’ exercise consisting of little more than self-paced slide presentations,” officials explained. Leaders should :develop innovative ways to keep the security training interesting and keep workforce members engaged in understanding their roles in protecting ePHI.”
HIPAA also outlines technologies proven effective at mitigating phishing risks, including those that use machine learning or behavioral analysis for detecting and blocking possible email-based threats. to detect potential threats and block them as appropriate.
Entities should review the NIST vulnerability database to understand how to prioritize the remediation of those gaps. Some flaws can be mitigated through vendor-provided patches, but others require mitigation measures.
Acknowledging healthcare’s continued reliance on legacy platforms, OCR also reminded entities using obsolete, unsupported systems unable to be replaced or upgraded to “mitigate known vulnerabilities until upgrade or replacement can occur.” The security rule includes steps to safely isolate those devices.
Covered entities can also find resources for HIPAA-required security management processes, including risk analyses and security measures. These resources also include how technical vulnerabilities are categorized and identification mechanisms. Similar resources can also be found with Mitre and the Health Sector Coordinating Sector.
As stakeholders have warned of possible targeted attacks or disruptions targeting vulnerabilities amid the ongoing Russia-Ukraine conflict, providers should move to quickly review key measures to prevent potential exploit. Regulated entities must consider the variety of approaches to identifying and mitigating vulnerabilities, particularly those with weak cybersecurity practices that makes them “an attractive soft target.”
OCR stressed that weak authentication requirements were tied to 80% of healthcare data breaches caused by hacking. Further authentication missteps include weak password rules and the use of single factor authentication.
HIPAA also contains insights into access and authentication rules, as well as tech able to bolster this potential vulnerability. The use of least privilege, only giving access to employees who need access to PHI, is also required by the security rule.
OCR also recommended the use of a privileged access management (PAM) system “to reduce the risk of unauthorized access to privileged accounts,” and reminded entities that HIPAA requires entities to “periodically review and modify implemented security measures to ensure such measures continue to protect ePHI” and conduct regular evaluations of safeguards.
“Many regulated entities continue to under-appreciate the risks and vulnerabilities of their actions or inaction,” particularly around remote access and unpatched or unsupported systems, OCR officials concluded. HIPAA provides the foundational, baseline security measures needed to protect health data.
The OCR sentiments echo Mitre's calls for healthcare providers to get back to cybersecurity basics, including incident response plans and employee education to bolster the first line of defense in the healthcare environment.