Reflecting on Cybersecurity Awareness Month

As the Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), I am proud of my team’s work towards increasing cybersecurity awareness last month, and in fact, every month. OCR enforces the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, and Enforcement Rules to protect individuals’ health information private and secure.

To keep individuals’ protected health information safe, an organization must have strong cybersecurity measures. When a HIPAA regulated entity understands and has good cybersecurity practices in place, this lowers the risk of protected health information becoming compromised. To promote these good practices, OCR offers resources to the public and covered entities that address trending cybersecurity topics. Although strong cybersecurity habits should be year-round, OCR celebrated October’s Cybersecurity Awareness Month with gusto in the following ways:

• Resource Documents on Telehealth: OCR issued two resource documents to promote cybersecurity in telehealth for different audiences.
• Newsletter on Sanctions Policies: OCR frequently publishes Cybersecurity Newsletters to keep the public informed of the most up-to-date cybersecurity topics. In October, OCR put out a newsletter on “How Sanction Policies Can Support HIPAA Compliance”. An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. The newsletter relayed what the functions, the content, and execution of what such a policy might look like.
• Videos on Defending Against Cyber-Attacks: OCR released two videos, in English and Spanish, on the HIPAA Security Rule and how it can help regulated entities defend against cyber-attacks. The videos discuss real world cyber-attack trends, based on OCR’s experience with its breach reports and enforcement, along with ways to detect and mitigate common cyber-attacks.
• Settlements: OCR announced its first ever settlement concerning a ransomware attack. Ransomware is a type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. This settlement with a business associate highlights how ransomware attacks are increasingly common and targeting the health care system. 
• Webinar on Risk Analysis: To cap off Cybersecurity Awareness Month, OCR hosted a webinar titled “The HIPAA Security Rule Risk Analysis Requirement”, to an audience of over 4,000 registrants. A risk analysis is a key and necessary step for effective cybersecurity and HIPAA Security Rule compliance. This webinar discussed what is required to conduct an accurate and thorough risk assessment to protected health information.
• Cybersecurity Training: Throughout October, OCR’s eight regional offices conducted cybersecurity training for large hospitals, small medical providers, business associates, state health departments, and state social service agencies to assist them in complying with their cybersecurity obligations in the face of changing hostile threats.

We encourage your efforts to keep your organization in compliance with HIPAA, and part of that effort is having strong cybersecurity measures. Stay tuned for future OCR announcements in support of HIPAA and cybersecurity, and please make use of our free cybersecurity resources.

Additional Resources: