Health and human service organizations possess an abundance of protected health information (PHI), by the simple nature of their operations. With phishing, smishing, ransomware, and other dangerous cyberattacks on the rise, the threat posed to these organizations has never been higher. As a result, many government agencies—including the U.S. Department of Health & Human Services (HHS), Office of Civil Rights (OCR), and U.S. Food and Drug Administration (FDA)—are developing updated cybersecurity guidance and laws.

The following represent several of the recent, key cybersecurity updates which are important for health and human service organizations to understand:

Enhanced Cybersecurity Focus within OCR

On February 27, 2023, the HHS announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division within the OCR. In addition, OCR also renamed its Health Information Policy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to better reflect the role cybersecurity plays in their operations.

As HHS’ law enforcement agency, OCR is responsible for enforcing 55 civil rights, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA); investigating complaints; conducting compliance reviews; developing policies; promoting regulations; providing technical assistance; and educating the public about federal civil rights, privacy, and conscience laws.

The OCR’s caseload has multiplied in recent years, with a 69% increase in complaints from 2017 to 2022. As of 2022, the OCR received 51,000 complaints—27% alleged violations of civil rights, 7% alleged violations of conscience/religious freedom, and 66% alleged violations of health information privacy and security laws. Furthermore, large breaches of unsecured protected health information (PHI) have increased in recent years, with hacking accounting for 80% of the breaches OCR has experienced.

This recent reorganization of the OCR has been established to provide a more integrated operational structure for civil rights, conscience protections, privacy protections, and cybersecurity protections.

New HIPPA Regulations Surrounding Data Tracking Technologies

On Dec. 1, 2022, the OCR issued a bulletin to highlight the obligations of HIPPA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies.

Tracking technologies are often used by organizations to collect and analyze information about user interactions with the organization’s websites, apps, etc. HIPPA’s Privacy, Security, and Breach Notification Rules apply when the information collected through tracking technologies includes PHI and prohibits the use of tracking technologies in a manner that would result in impermissible disclosures of PHI.

This new guidance addresses what a tracking technology is as well as how the HIPAA Rules apply to regulated entities’ use of tracking technologies in the following areas:

  • Tracking on user-authenticated webpages
  • Tracking on unauthenticated webpages
  • Tracking within mobile apps
  • HIPAA compliance obligations for regulated entities when using tracking technologies

Amended FDA Act Enforcing Cybersecurity in Medical Devices

Given the increased risk of cybersecurity threats to the healthcare sector, the FDA issued an amendment to the Food, Drug, and Cosmetic Act to add section 524B, Ensuring Cybersecurity of Devices on Dec. 29, 2022.

As of March 29, 2023, this act now requires all new medical device applicants to follow the below steps to ensure cybersecurity:

  1. Submit a plan on how to monitor, identify, and address cybersecurity issues.
  2. Develop and maintain processes and procedures to provide reasonable assurance that the device is cybersecure.
  3. Provide a software bill of materials.
  4. Comply with all other requirements to ensure the device is cybersecure.

Updated Continuing Care Retirement Communities Regulators

Continuing Care Retirement Communities (CCRCs) are now regulated under the Gramm-Leach-Bliley Act (GLBA) cyber laws. This act requires organizations to safeguard sensitive data and explain their information-sharing practices to their customers.

Expanded Data Safeguards from the Federal Trade Commission Applicable to Entities Using Title IV Funds

In December 2021, the Federal Trade Commission (FTC) amended the standards for Safeguarding Customer Information. These cybersecurity requirements went into effect on June 9, 2023. This change impacts organizations using Title IV funds and could have other impacts as the definition of “covered entity” was greatly expanded.

The above represents only a brief overview of several recent cybersecurity updates impacting health and human service organizations. Thoroughly understanding and complying with these, and other applicable regulations, is key to mitigating the risk of dangerous and costly data breaches and cyberattacks. For assistance navigating these complex cybersecurity regulations, organizations should consider aligning with a trusted advisor who can offer tailored guidance specific to an organization. [source]

OTHER HELPFUL RESOURCES:

The American Medical Association (AMA) has curated resources and has tips for physicians and health care staff to protect patient health records and other data from cyberattacks.

In May, the U.S. Food and Drug Administration (FDA) launched its third video focusing on how to prepare for a cybersecurity event and help ensure patient safety during a prolonged cybersecurity event.