7 HHS best practices to mitigate healthcare cyber threats

As cyber threat frequency and severity continue to grow, the HHS has stepped into the picture. Here’s a look at recent settlements announced by the HHS and its best practice recommendations to mitigate threats. 

Cyber threats pose a significant risk to the healthcare industry due to the sensitive nature of patient data. And the threat is only growing. In fact, there’s been a 256% increase in large breaches reported to the U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the last five years.

As a result, the OCR has begun to step in, first announcing a settlement with a Massachusetts-based medical management company resolving potential violations from a 2018 ransomware attack. The OCR has more recently announced its second settlement, with a HIPAA-regulated entity that fell victim to a ransomware attack in 2019, compromising the protected health information (PHI) of over 14,000 individuals.

These settlements highlight the increasing prevalence of ransomware as a significant cyber threat in the healthcare sector. Considering this growing threat, the OCR has released recommendations for best practices to help mitigate the risks of cyber threats:

1. Vendor and contractor relationships

   Healthcare organizations should review all vendor and contractor relationships to ensure that appropriate business associate agreements are in place. These agreements should address breach and security incident obligations, ensuring that all parties involved are committed to protecting sensitive data.

2. Risk analysis and management

   Organizations should also integrate risk analysis and risk management into business processes with regular assessments, especially when implementing new technologies or business operations. This proactive approach helps identify vulnerabilities and implement appropriate security measures.

3. Audit controls and information system activity

   By implementing audit controls to record and examine information system activity with regular reviews, healthcare organizations can promptly detect any suspicious or unauthorized access attempts.

4. Multifactor authentication

   To ensure only authorized users access protected health information, healthcare organizations should implement multifactor authentication. This additional layer of security can help prevent unauthorized access, even if login credentials are compromised.

5. Encryption of PHI

   By encrypting protected health information, organizations can ensure that even if the data is intercepted, it remains unreadable and unusable to unauthorized individuals.

6. Incorporating lessons learned

   Organizations should learn from previous incidents and incorporate those lessons into their overall security management process. This continuous improvement approach helps strengthen security measures and better protect against future cyber threats.

7. Workforce training

   Employees should be aware of their critical role in protecting privacy and security. Organizations should provide regular training on HIPAA policies and procedures, tailoring approaches to specific needs and job responsibilities.

Healthcare organizations can help mitigate cyber threats by ensuring HIPAA compliance and adhering to the HIPAA Security Rule, which requires implementation of security measures that can help prevent the introduction of malware, including ransomware. They’ll also benefit by reviewing OCR recommendations and making changes to their policies and procedures as necessary. By implementing robust security measures, conducting regular risk assessments, reviewing processes, and ensuring workforce awareness, organizations can better safeguard sensitive patient data from cybercriminals.

Learn more about strategies and practices to help mitigate cyber threats.