Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

New OCR Guidelines for Defending Against Cybersecurity Attacks

In a recent statement, President Biden encouraged private sector companies to give increased attention to their cybersecurity programs against potential attacks. This came soon after the news that Russia is reportedly exploring the possibility of directing cyberattacks towards US companies. 

Aside from possible Russian intervention, healthcare has long been the industry most targeted by hackers seeking unauthorized access to electronic information. Organizations safeguarding PHI and other sensitive forms of personal information should have robust cybersecurity programs in place with the ability to mitigate vulnerabilities, close gaps, and implement updates as new kinds of cyberattacks emerge.

The HHS Office for Civil Rights (OCR) recently released its Quarter 1 Cybersecurity Newsletter, which includes detailed, actionable security measures all organizations subject to HIPAA should be implementing. Here’s an overview of OCR’s recommended cybersecurity practices.

Protect Against Phishing

Phishing is one of the most common kinds of cybersecurity attacks. While phishing is often conducted over email, we’re now seeing an uptick in phishing over text message, known as smishing. Phishing and smishing are types of attacks that rely on user error. Many of these attacks will come in the form of messages that appear to be from a trusted source, or are offering things that are too good to be true. They urge the user to click on a link, which is where the trouble begins. 

This may go hand in hand with a ransomware attack, where, after clicking a link, sensitive data will be encrypted on the user’s device or system, followed by a message explaining that a sizable ransom will need to be paid in order to retrieve it. As part of your compliance program, all employees should be trained on how to recognize phishing, smishing, and other kinds of cyberattacks. They should also be trained on how to respond and who to contact if there is an issue, so company data is not compromised.

Security Training

The HIPAA Security Rule requires organizations to train all employees on security awareness and protocols. This program should involve periodic training, practice and refreshers of how to respond to cyber events, and ongoing education as cybersecurity standards change or threats develop. Your employees make mistakes and need to be reminded of how they can protect your organization. Training is one of your best tools for protecting against cyberattacks. 

Implement Policies and Procedures

If your organization is required to be HIPAA compliant, you must have a documented and implemented HIPAA compliance plan that outlines all the safeguards you have in place to protect sensitive information.  A comprehensive compliance plan will include Privacy and Security Policies and Procedures, a Disaster Recovery Plan, a Remote Work Policy, a BYOD (Bring Your Own Device Agreement), and Business Associate Agreements with third parties.

It is important to assign and document roles within your organization concerning who has access to what information, what safeguards are in place to protect it, and what protocols you should follow in the event of a breach. Staff should be thoroughly trained on company Policies and Procedures so they understand their role in keeping company information safe.

Conduct a Risk Assessment

One of the first essential steps in strengthening your compliance program is conducting a Risk Assessment. A Risk Assessment allows an organization to identify gaps and weaknesses in its security standards and mitigate them before they become an issue. It is an essential step in being HIPAA compliant and maintaining the security of your data.

A Risk Assessment may pinpoint technical vulnerabilities (i.e., lack of encryption, two-factor authentication, or strong passwords), administrative vulnerabilities (i.e., failure to appoint Privacy and Security Officers or document Policies and Procedures), as well as physical vulnerabilities (i.e., lack of security systems, locked file rooms, or desktop locks). Once these vulnerabilities are identified, assessed, and prioritized according to what constitutes the greatest security risk, you can begin to implement safeguards that address them.

Implement Access Controls

In handling PHI, it’s important to observe the minimum necessary rule. Ask yourself, what’s the minimum amount of information you need to give or receive to complete the task at hand? This, along with other forms of access controls, like setting access levels for different employees depending on their roles, are effective ways of managing who sees what information. This will ensure that no sensitive data is accessed by unauthorized parties.

You should periodically reassess the strength and effectiveness of your cybersecurity practices, taking care to consider any changes in your staff or organization that might make you more vulnerable to cyberattacks. To do this, you should be conducting an annual Risk Assessment and annual review of your Policies and Procedures to make sure they reflect the current state of your business.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.

  1. Biden warns the private sector that Russia is exploring options for cyberattacks.
  2. OCR Quarter 1 2022 Cybersecurity Newsletter
  3. Cybersecurity Attacks Are Increasing. How Can You Keep Your Data Safe?
  4. HIPAA Compliance Guide: All Your Questions Answered
  5. Secure Remote Work During COVID-19

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)