Healthcare organizations continue to be prime targets for cyberattacks. It is well established that cyber-attacks can lead to financial loss, reputational damage and, in some cases, risks to patient care and safety. A recent high-profile cybersecurity incident affecting Change Healthcare further demonstrates these risks. On March 5, 2024, the U.S. Department of Human Services (HHS) issued a public statement and announced that it had begun an investigation as this latest cyber attack had a widespread and devastating impact on the healthcare ecosystem. Did.
Given these growing threats and their potentially disruptive impact on the healthcare industry, HHS's 2024 Agenda continues to encourage compliance with cybersecurity and privacy regulations through a variety of mechanisms. Specific initiatives as of Q1 2024 include issuing updated guidance from HHS and the National Institute of Standards and Technology (NIST), modifying existing regulations, and leveraging investigative and enforcement authorities .
Latest guidance
As a foundational step, HHS ended 2023 with the publication of a Health Sector Cybersecurity Concept Paper. Shortly after, on January 24, 2024, HHS introduced Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs) and launched a gateway website to assist organizations with their implementation. The HPH CPG helps healthcare organizations, including small and medium-sized organizations, implement baseline protection measures to address common vulnerabilities (Fundamental Goal) and help healthcare organizations reach the next level of protection. It outlines specific measures to help mature cybersecurity capabilities (enhancement goals). The HPH CPG is consistent with existing Healthcare Industry Cybersecurity Practices (HICP) and meets the controls outlined in NIST Special Publication 800-53 (NIST SP 800-53), Managing Security and Privacy for Information Systems and Organizations. We are compatible. Although the HPH CPG provides basic practices to strengthen cyber preparedness and resilience, it is voluntary in nature and meets the requirements of the Health Insurance Portability and Accountability Act (HIPAA). It does not replace your obligation to comply. However, in a concept paper, HHS said it would work with Congress to establish incentives to “encourage all hospitals to invest in advanced cybersecurity practices to implement 'hardened' HPH CPGs.” has indicated an intention to do so. In the meantime, it's important to note that state legislatures are also looking for ways to strengthen cybersecurity, as previously discussed here.
In February 2024, NIST also completed its long-awaited update, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: Cybersecurity Resource Guide, SP 800-66r2. NIST's Guide to Implementing the HIPAA Security Rule, first published in 2005 and updated in 2008, provides practical guidance for assessing and addressing risk in your organization. Recently released guidance includes updates to account for changes in technology such as cloud computing, mobile devices, and tracking technologies, as well as the increasing sophistication of threat actors. NIST's update also includes a robust appendix containing a set of his HIPAA Security Rules resources that covered entities and business stakeholders can utilize in their compliance efforts.
compliance audit
The HHS Office for Civil Rights (OCR) is taking initial steps to begin the next round of audits as required by the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH requires HHS to regularly audit HIPAA-covered entities and organizations. Require business associates to comply with HIPAA's privacy, security, and breach notification rules. Specifically, on February 12, 2024, OCR issued a draft Information Collection Request (ICR) seeking comment on the effectiveness and burden estimates of past audits. If ICR moves forward, OCR will focus on gathering feedback from the 207 covered entities and business partners that were part of HIPAA audits conducted in 2016-2017. If your organization has been subject to these previous audits, please consider providing feedback to the contacts listed in ICR by April 12, 2024.
regulatory changes
On February 16, 2024, HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights (OCR), issued a final update to 42 CFR Part 2 (Part 2), Substance Use Disorder Confidentiality (SUD). Rules have been published. ) Patient Records (Final Rule). The final rule clarifies existing Part 2 permissions and limitations to more closely align certain Part 2 requirements with his HIPAA regulations and improve the ability of entities to use and disclose Part 2 records. . Notably, as stated in an HHS press release, the final rule will require “a single patient consent, once given, for all future uses and disclosures in treatment, payment, and health care operations.” Part 2 allows the use and disclosure of records” and notification requirements “outline the new violation.” ” The final rule is scheduled to go into effect on April 16, 2024, but SUD providers have until February 16, 2026 to comply.
investigation and enforcement
OCR recently resolved a high-profile investigation demonstrating an intent to hold healthcare organizations accountable for security compliance. On February 21, 2024, OCR announced a settlement with a Maryland-based provider based on a ransomware attack that resulted in the encryption of patient records that affected more than 14,000 people. did. This is his second ransomware settlement with OCR. In a press release, OCR alleged that the provider failed to take security measures to mitigate risks and vulnerabilities, and also failed to adequately monitor its health information systems. The settlement amount is $40,000, and the corrective action plan requires three years of monitoring by OCR. As ransomware attacks continue to plague healthcare organizations, regulators investigating ransomware-related breach reports are raising concerns that such breaches may be partially due to security flaws in HIPAA-covered entities. It is important to note that the company will continue to exercise enforcement powers if the
Advance
As these developments demonstrate, HHS activities in the first quarter of 2024 will continue to emphasize cybersecurity. Therefore, it is important for healthcare organizations to thoroughly evaluate their privacy and security programs, ensure compliance with evolving privacy and security standards, stay on top of enforcement trends, and be recognized in the healthcare industry amidst a changing landscape. It's essential to understand security best practices. A landscape of threats.