Important Cybersecurity Updates for HIPAA and Health Service Organizations

This article was written by Brandon Agostinelli, Consulting Manager at FoxPointe Solutions and Carl Cadregari, Executive Vice President at FoxPointe Solutions

Health and human service organizations, Business Associates of human service organizations, and other health information covered entities possess an abundance of protected health information (PHI), by the simple nature of their operations. With phishing, smishing, ransomware, and other dangerous cyber-attacks on the rise, the threat posed to these organizations has never been higher. As a result, many government agencies—including the U.S. Department of Health & Human Services (HHS), Office of Civil Rights (OCR), and U.S. Food and Drug Administration (FDA)—are developing updated cybersecurity guidance and laws.

The following represent several of the recent key cybersecurity updates that are important for health and human service organizations to understand.

Enhanced Cybersecurity Focus within OCR

On February 27, 2023, the HHS announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division within the OCR. In addition, OCR also renamed its Health Information Policy Division (HIP) to be the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to better reflect the role that cybersecurity plays in their operations.

As HHS’ law enforcement agency, the OCR is responsible for enforcing 55 civil rights and laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA); investigating complaints; conducting compliance reviews; developing policies; promoting regulations; providing technical assistance; and educating the public about federal civil rights, privacy, and conscience laws.

The OCR’s caseload has multiplied in recent years, with a 69 percent increase in complaints from 2017 to 2022. As of 2022, the OCR received 51,000 complaints—with 27 percent regarding alleged violations of civil rights, 7 percent regarding alleged violations of conscience/religious freedom, and 66 percent regarding alleged violations of health information privacy and security laws. Furthermore, large breaches of unsecured protected health information (PHI) have increased in recent years, with hacking accounting for 80 percent of the breaches that were reported to the OCR.

This recent reorganization of the OCR has been established to provide a more integrated operational structure for civil rights, conscience, privacy, and cybersecurity protections.

New HIPAA Regulations Surrounding Data Tracking Technologies

On December 1, 2022, the OCR issued a bulletin to highlight the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies.

Tracking technologies are often used by organizations to collect and analyze information about user interactions with the organization’s websites, applications, etc. HIPAA’s Privacy, Security, and Breach Notification Rules apply when the information collected through tracking technologies includes PHI and prohibits the use of tracking technologies in a manner that would result in impermissible disclosures of PHI.

This new guidance addresses what a tracking technology is as well as how the HIPAA Rules apply to regulated entities’ use of tracking technologies in the following areas:

• Tracking on user-authenticated webpages
• Tracking on unauthenticated webpages
• Tracking within mobile apps
• HIPAA compliance obligations for regulated entities when using tracking technologies

Amended FDA Act Enforcing Cybersecurity in Medical Devices

Given the increased risk of cybersecurity threats to the healthcare sector, the FDA issued an amendment to the Food, Drug, and Cosmetic Act to add section 524B, Ensuring Cybersecurity of Devices on December 29, 2022.

As of March 29, 2023, this act now requires all new medical device customers to follow the below steps to ensure cybersecurity:

• Submit a plan on how to monitor, identify, and address cybersecurity issues.
• Develop and maintain processes and procedures to provide reasonable assurance that the device is cybersecure.
• Provide a software bill of materials.

• Comply with all other requirements to ensure the device is cybersecure.

Updated Continuing Care Retirement Communities Regulators

Continuing Care Retirement Communities (CCRC) are now regulated under the Gramm-Leach-Bliley Act (GLBA) cyber laws. This act requires organizations to safeguard sensitive data and explain their information-sharing practices to their customers. On December 2021, the Federal Trade Commission (FTC) amended the standards for Safeguarding Customer Information. These cybersecurity requirements went into effect on June 9, 2023.

Enhancement of User Authentication

On June 30, 2023, OCR released formal guidance emphasizing the need for stronger user authentication mechanisms protecting sensitive information, including electronic protected health information (ePHI). As OCR points out, recent cyber research shows that the vast majority of breaches (86%) of externally facing systems (such as email, websites, etc.) were perpetrated with stolen credentials. OCR’s enhanced guidance here sets forth the recommended best practices to ensure your organization is not next on the list of headlines. In recent years, every industry, including food production, cellular carriers, and oil companies, has experienced such issues with their authentication mechanisms.

As a first step, ensuring that a single factor of authentication is sufficiently protected and complex is important in order to prevent credential compromise. This would include strong password parameters, use of encryption to store passwords, and monitoring for stolen credentials. Additionally, and serving as another layer of security that is highly recommended by CISA (Cybersecurity and Infrastructure Security Agency), multi-factor authentication is highly effective at limiting risk of threat actors compromising user authentication systems. Two forms of authentication are required in order to have a multi-factor system implemented. The overall goal of multi-factor authentication is to prevent system compromise events if the first form of authentication (i.e., password, PIN, etc.) is stolen or hacked. Multi-factor authentication would be best and most commonly implemented with a user having a credential that they know (such as a password), and something that they are (such as facial recognition). Because the risk of compromise is so great when external systems do not have multi-factor authentication protecting the front door, the HHS, in addition to OCR, recently formally recognized the importance of multi-factor authentication by encouraging its use for remote access to systems and to email as best practices in a publication dated April 2023.

What does HIPAA say about this? While the HIPAA Security Rule does not require multi-factor authentication explicitly for all organizations, the Rule does require that all regulated entities (covered entities and business associates) implement authentication mechanisms and controls that at minimum “verify that a person or entity seeking access to electronic protected health information is the one claimed” (45 CFR 164.312(d)). Furthermore, due to the HIPAA Security Rule’s flexibility principle, a regulated entity’s risk management program should determine the implementation of user authentication controls that appropriately and sufficiently reduce the risks to the confidentiality, integrity, and availability of ePHI. Acceptable and expected cybersecurity controls at each organization is dependent on their size, complexity, and data footprint. For an organization with remote access available to users that want to access information systems that house ePHI, this function may inherently pose more risk than if access was only permitted in person; therefore, stronger authentication processes (such multi-factor authentication) may be required when implementing remote access tools to reduce risks of compromise appropriately and sufficiently.

In conclusion, OCR goes on to say that as a general best practice, all regulated entities should consider implementing multi-factor authentication solutions when determined to be appropriate in order to enhance the protection of information systems that house ePHI.

Additional Risk Focus

Organizations need to apply additional attention and scrutiny on a handful of key areas that are regularly documented as major compliance weaknesses by OCR, the Centers for Medicare and Medicaid Services, HHS, New York State, and other standards mentioned previously in this article. Those major compliance weaknesses include at least the following:

• Risk assessments are not performed, or those performed are inadequate, not reported as required, or lacking measurable remediation; if you haven’t completed and documented a full, thorough, and accurate assessment in the last 12 months, have one done now.
• There is a lack of appropriate data encryption; this is a real safe harbor technology - any protected data in transit or at rest needs to be encrypted to significantly reduce risk of breaches.
• There is improper data access on computer systems and portable devices, causing unreported disclosures and breaches; start implementing multi-factor authentication as soon as possible.
• Vendor management programs are not in place or ineffective; it is critical that you have a robust vendor risk and audit program in place, as third and fourth parties now represent the source of over 50% of data breaches.
• There are inadequacies in user authorization, audit, and reporting of inappropriate or unapproved access; make sure your audit controls are in place and documented.

• There is a lack of or inadequacy of Security Awareness Training programs; your staff needs to be trained at hire and at least annually, as they are a significant layer of protection when they are appropriately trained.
• There is a lack of crisis management planning, negatively affecting required business impact planning, disaster recovery testing, and business continuity controls; if you haven’t tested your recovery and incident management plans recently, have a tabletop or other test completed and documented as soon as possible.

The issues above represent only a brief overview of several recent cybersecurity updates impacting health and human service organizations. Thoroughly understanding and complying with these and other applicable regulations is key to mitigating the risk of dangerous and costly data breaches and cyber-attacks. For assistance navigating these complex cybersecurity regulations, organizations should consider aligning with a trusted advisor who can offer tailored guidance specific to an organization.

Brandon is a consulting manager in the FoxPointe Solutions/Information Risk Management Division of The Bonadio Group. Brandon has expertise in risk management and internal and external auditing of information technology and information security practices and controls. He provides these services for clients across multiple industries, including public and private companies, healthcare organizations, tech companies, and school districts, ensuring that controls are functioning properly.

Carl is an executive vice president in the FoxPointe Solutions/Information Risk Management Division of The Bonadio Group. Carl has expertise in the areas of data privacy and cybersecurity controls, physical, administrative, and technical security, enterprise risk management, vendor management, and disaster recovery planning, having worked with companies across almost all vertical markets ranging in size from small businesses to multi-regional and multi-national organizations with thousands of employees.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.