HIPAA: get serious about identifying your organizational cybersecurity risks

HIPAA audits overview

In December 2020, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released its 2016-2017 HIPAA Audits Industry Report that reviewed selected healthcare entities and business associates for compliance with the HIPAA Privacy, Security and Breach Notification Rules. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires periodic audits of covered entities and business associates regarding their compliance with HIPAA. OCR conducted audits of 166 covered entities and 41 business associates. The summary results of the OCR audits note that most covered entities failed to:

• Provide all of the required content for a Notice of Privacy Practices
• Provide all of the required content for breach notification to individuals
• Properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee
• Implement the HIPAA Security Rule requirements for risk analysis and risk management 

The OCR audits also concluded that most covered entities met the timeliness requirements for providing breach notification to individuals, and most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until healthcare entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

In the fall of 2020, a joint cybersecurity warning was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and HHS. This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain(1). 

Healthcare organizations have become the preferred target for cyber hackers. Recent figures published by Check Point Software Technologies, indicate a sharp increase of 25% in cyberattacks over the months of November and December 2020 and January 2021 compared to the period prior to November 2020.