As the healthcare industry continues to reel from the recent Change Healthcare ransomware attack that crippled much of the U.S. healthcare system, healthcare providers are rightly being reminded of the importance of cybersecurity safeguards. The HIPAA Security Rule requires regulated entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for electronic protected health information (ePHI). This includes:
- Ensure the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, and transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of your information.
- protect against reasonably anticipated unauthorized use or disclosure;and
- Thorough compliance by employees.
These security measures will need to be reviewed and modified as threats change.
Based on the Change Healthcare attack, targeted companies should consider the following:
- Explore recent cybersecurity guidance Created by the National Institute of Standards and Technology. The 122-page guide provides practical guidance and resources that regulated entities can use to better understand security rule requirements and protect ePHI. The first step in this process is a risk assessment to identify potential risks and vulnerabilities that could cause ePHI to be inappropriately disclosed, altered, or made unavailable. Our cybersecurity guide recommends the following steps:
- to understand This is where ePHI is created, received, maintained, processed, and transmitted.
- identify Potential threat events, sources, and vulnerabilities Based on knowledge gained from analyzing the operating environment and where ePHI flows (ransomware, phishing, insider threats, etc.).
- Determine the level of risk Determine the level, such as low, medium, or high, based on the likelihood that a reasonably expected threat will exploit the vulnerability and the resulting impact.
- document result.
- Based on this risk assessment, evaluate the following options: Implementing security measures and policies/procedures to mitigate potential risks and vulnerabilities. The Cybersecurity Guide includes a table of key activities to consider when implementing security rule requirements, includes steps you can take, and sample questions to consider when determining the adequacy of your cybersecurity measures. It is included. Key activities include technical safeguards, employee training, vendor audits, data minimization, etc.
- prepare for the worst. As the U.S. Department of Health and Human Services Office for Civil Rights reported last month, there has been a significant increase in HIPAA complaints and large-scale violations, with hacking/IT incidents continuing to account for the majority of reported violations. With the rise in cyber-attacks and increased attention to cybersecurity in the healthcare industry, healthcare providers are expected to increase their focus on preparedness. Therefore, covered entities should consider the following:
- Update incident response and business continuity plans;
- Simulate user reactions to such events desk exercise; and
- Under review Related contracts and Insurance coverage To ensure proper protection.