On February 28, 2022, the Director of the U.S. Department of Health and Human Services Office for Civil Rights, Lisa Pino, published a blog post titled “Improving the Cybersecurity Posture of Healthcare in 2022.” Ms. Pino’s blog post was a call to action, encouraging covered entities and business associates to strengthen their cyber posture in 2022 and to perform enterprise-wide risk analyses.
Ms. Pino now leads the enforcement of HIPAA Privacy, Security, and Breach Notification Rules. Her blog discusses her government service and experience related to cyberattacks and cyber breach mitigation and notes her intention to continue “prioritizing cyber security and patient privacy.” Ms. Pino highlighted what many people have observed – increased publicity and occurrence of cyberattacks in 2021, especially in the healthcare industry. She noted that “[f]or healthcare,  was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the Covid-19 pandemic.” As an example, Ms. Pino highlighted the vulnerabilities in the popular Java-based logging software, “Log4J,” which cybercriminals have reportedly exploited to gain access to servers and networks. The increased reporting of cyberattacks and vulnerabilities underscore why health care companies must be “vigilant in their approach to cybersecurity,” according to Ms. Pino.
One important observation that Ms. Pino also identified related to risk management policies and their limited scope. Ms. Pino noted that many risk management policies are limited to electronic health records as opposed to the entire organization. She cautioned: “I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope. You should fully understand where all electronically protected health information (ePHI) exists across your organization – from software to connected devices, legacy systems, and elsewhere across your network.”
Ms. Pino provided a few best practices, including (1) employee training; (2) conducting regular scans to identify vulnerabilities; (3) maintaining offline, encrypted backups (and regularly testing backups); and (4) obtaining regular patches and updates. She also provided several resources and guidance materials on various topics.
- Ransomware: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
- Cybersecurity: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
- Risk Analysis: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
- HHS Security Risk Assessment Tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool.
Covered entities and business associates should heed Ms. Pino’s warnings. Cyberattacks are not declining. Organizations should take meaningful steps to reduce the likelihood of a cyber event occurring and reduce the impact of such an event. Now that Ms. Pino has informally encouraged “enterprise-wide risk analysis,” covered entities and business associates should be prepared for inquiries and questions in future OCR investigations related to the scope of their risk analysis and should be prepared to show that an enterprise-wide risk analysis was performed.
The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA-related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation. If you need assistance with such a matter, please contact us today.