Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

New OCR Guidelines for Defending Against Cybersecurity Attacks

In a recent statement, President Biden encouraged private sector companies to give increased attention to their cybersecurity programs against potential attacks. This came soon after the news that Russia is reportedly exploring the possibility of directing cyberattacks towards US companies. 

Aside from possible Russian intervention, healthcare has long been the industry most targeted by hackers seeking unauthorized access to electronic information. Organizations safeguarding PHI and other sensitive forms of personal information should have robust cybersecurity programs in place with the ability to mitigate vulnerabilities, close gaps, and implement updates as new kinds of cyberattacks emerge.

The HHS Office for Civil Rights (OCR) recently released its Quarter 1 Cybersecurity Newsletter, which includes detailed, actionable security measures all organizations subject to HIPAA should be implementing. Here’s an overview of OCR’s recommended cybersecurity practices.

Protect Against Phishing

Phishing is one of the most common kinds of cybersecurity attacks. While phishing is often conducted over email, we’re now seeing an uptick in phishing over text message, known as smishing. Phishing and smishing are types of attacks that rely on user error. Many of these attacks will come in the form of messages that appear to be from a trusted source, or are offering things that are too good to be true. They urge the user to click on a link, which is where the trouble begins. 

This may go hand in hand with a ransomware attack, where, after clicking a link, sensitive data will be encrypted on the user’s device or system, followed by a message explaining that a sizable ransom will need to be paid in order to retrieve it. As part of your compliance program, all employees should be trained on how to recognize phishing, smishing, and other kinds of cyberattacks. They should also be trained on how to respond and who to contact if there is an issue, so company data is not compromised.

Security Training

The HIPAA Security Rule requires organizations to train all employees on security awareness and protocols. This program should involve periodic training, practice and refreshers of how to respond to cyber events, and ongoing education as cybersecurity standards change or threats develop. Your employees make mistakes and need to be reminded of how they can protect your organization. Training is one of your best tools for protecting against cyberattacks. 

Implement Policies and Procedures

If your organization is required to be HIPAA compliant, you must have a documented and implemented HIPAA compliance plan that outlines all the safeguards you have in place to protect sensitive information.  A comprehensive compliance plan will include Privacy and Security Policies and Procedures, a Disaster Recovery Plan, a Remote Work Policy, a BYOD (Bring Your Own Device Agreement), and Business Associate Agreements with third parties.

It is important to assign and document roles within your organization concerning who has access to what information, what safeguards are in place to protect it, and what protocols you should follow in the event of a breach. Staff should be thoroughly trained on company Policies and Procedures so they understand their role in keeping company information safe.

Conduct a Risk Assessment

One of the first essential steps in strengthening your compliance program is conducting a Risk Assessment. A Risk Assessment allows an organization to identify gaps and weaknesses in its security standards and mitigate them before they become an issue. It is an essential step in being HIPAA compliant and maintaining the security of your data.

A Risk Assessment may pinpoint technical vulnerabilities (i.e., lack of encryption, two-factor authentication, or strong passwords), administrative vulnerabilities (i.e., failure to appoint Privacy and Security Officers or document Policies and Procedures), as well as physical vulnerabilities (i.e., lack of security systems, locked file rooms, or desktop locks). Once these vulnerabilities are identified, assessed, and prioritized according to what constitutes the greatest security risk, you can begin to implement safeguards that address them.

Implement Access Controls

In handling PHI, it’s important to observe the minimum necessary rule. Ask yourself, what’s the minimum amount of information you need to give or receive to complete the task at hand? This, along with other forms of access controls, like setting access levels for different employees depending on their roles, are effective ways of managing who sees what information. This will ensure that no sensitive data is accessed by unauthorized parties.

You should periodically reassess the strength and effectiveness of your cybersecurity practices, taking care to consider any changes in your staff or organization that might make you more vulnerable to cyberattacks. To do this, you should be conducting an annual Risk Assessment and annual review of your Policies and Procedures to make sure they reflect the current state of your business.

Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your organization.

Want to know more about how you can become HIPAA compliant?

Email us at info@totalhipaa.com to learn more about how we can help your organization become (and stay!) HIPAA Compliant. Or, get started here.

  1. Biden warns the private sector that Russia is exploring options for cyberattacks.
  2. OCR Quarter 1 2022 Cybersecurity Newsletter
  3. Cybersecurity Attacks Are Increasing. How Can You Keep Your Data Safe?
  4. HIPAA Compliance Guide: All Your Questions Answered
  5. Secure Remote Work During COVID-19

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2022

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

Microsoft End of Support for 2023

Microsoft End of Support for 2023

Each year, we publish Microsoft’s End of Support list because using up-to-date software is essential for HIPAA compliance. Microsoft will terminate support for earlier versions of a long list of its...

Top 10 Total HIPAA Blog Posts of 2022

Top 10 Total HIPAA Blog Posts of 2022

Throughout 2022, Total HIPAA has focused on providing information that will keep your organization HIPAA compliant and secure by blogging on relevant topics that matter. This is our last blog of...

Why Insurance Agents Need to Be HIPAA Compliant

Why Insurance Agents Need to Be HIPAA Compliant

The world of HIPAA compliance is often confusing and complex. It can be hard to tell what exactly the standards and requirements are and to whom they apply. Whether you’re an insurance agent or do...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)