Third Party Risk Management, Business Continuity Management/Disaster Recovery, Critical Infrastructure Security

Director Lisa Pino urges entities to focus more on cyberattacks

Marianne Kolbasuk McGee (HealthInfoSec) •
March 1, 2022

Lisa Pino, Director of HHS OCR

The Federal Enforcement Agency HIPAA urges Covered Entities and Business Associates to focus more on protecting their organizations from hacking incidents as cyberattacks against all critical infrastructure industries, including the healthcare sector, continue to increase.

See also: Case Study: The Road to Zero Trust

“For health care, 2021 has been even more turbulent as cybercriminals have taken advantage of hospitals and health care systems responding to the COVID-19 pandemic,” said Lisa Pino, director of the Department of Civil Rights Office on Tuesday. Health and Social Services.

Pino’s remarks came during a presentation on the HIPAA law enforcement agency’s policy and regulatory priorities at the 31st Annual HIPAA Summit, which took place virtually this year due to the pandemic.

“More than one healthcare provider has been forced to cancel surgeries, chemotherapy, X-rays and other services because their systems, software or networks were disabled,” he said. she said, referring to numerous ransomware attacks against hospital and healthcare industry entities over the past year.

Key Considerations

In addition to these ransomware threats, exploiting critical security vulnerabilities, such as Apache Log4J flaws, also poses potential hacking risks for organizations of all sizes, she said.

“These reports underscore why it’s so important for healthcare to be vigilant in their approach to cybersecurity,” she says. “I’m calling Covered Entities and Business Associates in 2022 to strengthen your organization’s cyber posture.”

Critical steps Covered Entities and Business Associates must follow include maintaining encrypted offline data backups and regularly testing backups; perform regular scans to identify and address vulnerabilities; regularly correct and update software and operating systems; and training employees on phishing and other common scams, Pino says.

She adds that it is also essential to perform a comprehensive and timely analysis of enterprise-wide security risks.

Breach Trends

HHS OCR recently submitted to Congress its annual report on breaches affecting protected health information, as required by the HITECH Act, Pino said.

The report, which analyzed breaches reported in the 2020 calendar year, says the OCR received 656 breach notifications affecting 500 or more people, representing a 61% increase over the number of reports received. in calendar year 2019. These violations reported in 2020 affected more than 37.6 million individuals.

Hacking incidents were the most frequently reported category of breaches. Of the 429 hacking incidents reported to OCR in 2020 as affecting 500 or more people, 199 involved ransomware.

The OCR report to Congress also shows that the agency received 66,509 reports of breaches affecting fewer than 500 people, with unauthorized access or disclosure being reported as the most frequent type of minor breach reported. These violations have affected a total of nearly 313,000 people.

By comparison, Pino said, in 2016 the OCR received 114 material breach reports involving a hacking/computer incident, while in 2021 it received 527 such reports.

“The Biden-Harris administration recognizes that the United States faces persistent and increasingly sophisticated cyber threats.[actors] that threatens the public and private sectors, and ultimately the privacy and security of the American people. And they understand cyberattacks all too well.”

Pino served as a senior adviser during the Obama administration, leading the Department of Homeland Security’s breach mitigation response to the 2015 cyberattack on the Office of Personnel Management. That incident compromised the records of 22 million “surrogate profiles,” the largest hacking incident in federal history, she said.

Rule-making work

Among HHS OCR’s rule-making priorities this year is a request for information regarding an as-yet-unmet provision of the HITECH Act of 2009 on how HHS OCR could distribute a percentage of the funds it raises to victims. HIPAA violation regulations and civil money penalties, Pino said.

In this RFI, the OCR will also seek public comment on how the agency should consider the security practices of Covered Entities and Business Associates when determining enforcement actions in the event of a breach. potential for HIPAA and other violations, she said.

This planned regulation comes after Congress passed legislation last year amending the HITECH Act to require HHS OCR to determine whether a breached entity attempted in “good faith” to implement “recognized” security practices before that the agency issues a HIPAA enforcement action.

Other planned rulemaking work includes efforts by the OCR and the HHS Mental Health and Substance Abuse Services Administration to “better harmonize” 42 CFR Part 2, the federal law that governs the privacy of substance use disorder information, with certain HIPAA permissions and requirements, Pino says.

Other regulatory work includes plans to issue a final rule amending the HIPAA Privacy Rule “to support and remove barriers” in patient care coordination and individual engagement, she says.

HHS OCR received over 1,400 public comments on its proposed rule, released in December 2020, to amend the HIPAA Privacy Rule.

Enforcement measures

On the enforcement side, Pino also says the OCR, among other cases, will continue to pursue complaints about potential violations of the HIPAA Right of Access provision that supports the right of individuals to access and get copies of their health information.

To date, since 2019, HHS OCR has taken enforcement action in 25 right of access cases.

Overall, in 2021, HHS OCR took enforcement action in 14 cases of HIPAA violations, “and more announcements are coming,” she says.

Pino declined to comment during his presentation on how or if OCR’s approach to HIPAA enforcement was affected by a 2021 federal 5th Circuit Court of Appeals ruling quashing a lawsuit in justice against the University of Texas MD Anderson Cancer Center.

In that case, in which the cancer center appealed a $4.3 million HIPAA civil monetary penalty, the Louisiana Court of Appeals challenged OCR’s interpretation of the HIPAA requirements and the how it sets civil monetary penalties.

“OCR’s rigorous enforcement of HIPAA rules continues,” says Pino.