October 2022 OCR Cybersecurity Newsletter HIPAA Security Rule Security Incident Procedures

Mary Madison, RN, RAC-CT, CDP
Clinical Consultant – Briggs Healthcare

We’re in the last few days of October which means we’re still in Cybersecurity Awareness Month.

Every October, in recognition of National Cybersecurity Awareness Month, the federal government and its partners work to educate stakeholders on cybersecurity awareness and how best to protect the privacy and security of confidential data. Within the health care industry, the HIPAA Security Rule applies to covered entities and their business associates (“regulated entities”) and electronic protected health information (ePHI). Because ePHI identifies individuals and includes information relating to an individual’s health, treatment, or payment information, it is a valuable target for cyber-criminals.

Cybersecurity incidents and data breaches continue to increase across all industries. A 2022 cybersecurity firm report noted a 42% increase in cyber-attacks for the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the health care sector. The number of data breaches occurring in the health care sector also continue to rise. Breaches of unsecured protected health information (PHI), including ePHI, reported to the HHS Office for Civil Rights (OCR) affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021. Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of PHI. A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.

The HIPAA Security Rule requires regulated entities to “implement policies and procedures to address security incidents.”  This means regulated entities need to have a plan in place and documented for responding to security incidents (suspected or known) that includes:

  • identifying security incidents;
  • responding to security incidents;
  • mitigating harmful effects of security incidents; and
  • documenting security incidents and their outcomes.

Security incidents will almost inevitably occur during the lifetime of a regulated entity. Having a plan established and documented is essential to being able to detect security incidents quickly in order to respond to and recover from security incidents effectively.

Keep reading this important HIPAA-OCR newsletter. Share this newsletter with your team and colleagues.

You’ll find information regarding the Security Rule and Security Incident Procedures:

  • Forming a security incident response team
  • Identifying security incidents
  • Responding to security incidents
  • Mitigating harmful effects of a security incident
  • Documenting the security incident
  • Understanding your breach reporting obligations
  • Recent resolution of OCR investigation
  • Conclusion

The policies and procedures regulated entities create to prepare for and respond to security incidents can pay dividends in the long run with faster recovery times and reduced compromises of ePHI. A well thought-out, well-tested security incident response plan is integral to ensuring the confidentiality, integrity, and availability of a regulated entity’s ePHI.

  • Additional Resources

What does your facility’s plan look like? Do you have a plan on how to respond to a suspected or known security incident or data breach?  Are you protecting the privacy and security of PHI?