"We owe it to our patients, and industry, to improve our cybersecurity posture in 2022..."
On Monday, the new OCR Director, Lisa Pino, addressed recent cyberattacks and called for an improved cybersecurity posture in the healthcare industry.
After sharing her background in cybersecurity, Pino went on to describe the current state of cybercrime against the healthcare industry. We saw cyberattacks rise in 2021 as hackers found ways around the IT protections of government agencies, large companies, and even major supply chains. For healthcare organizations, 2021 was “even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the Covid-19 pandemic.”
With systems being shut down and disabled and networks going offline, multiple healthcare providers had no choice but to cancel surgeries, radiology exams, and other essential services. At the end of 2021, a “critical vulnerability” was discovered “in a widely used Java-based software,” which “grabbed headlines with warnings about the potential risks this security flaw could pose for organizations of all sizes.” Software vulnerabilities like that one can allow hackers to infiltrate a provider’s system easily, gaining access to servers and other storage locations for protected health information.
What About My Practice?
So, what does this mean for you? Pino says:
"These reports underscore why it is so important for healthcare to be vigilant in their approach to cybersecurity. With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022.”
Before we look at Pino’s suggested risk management steps, we want to address two different types of people that may be reading this article.
If you are already a Medcurity customer, we want to remind you that we are here for you. If you need anything or have questions about your current cybersecurity defenses, don't hesitate to contact your team at Medcurity. We are more than happy to help.
For those of you that don’t know us: Medcurity exists to provide solutions and services to help healthcare providers simplify HIPAA compliance, starting with the Security Risk Analysis (SRA). Conducting this analysis is the first step when protecting the privacy and security of your organizations’ patient data, which is why HIPAA law requires every covered entity and business associate to perform an SRA.
A thorough risk analysis identifies the “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” Pino said this about the SRA in her post:
"All too often, we see that risk analyses only cover the electronic health record. I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope. You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.
"If you haven’t looked at your risk management policies and procedures recently to prevent or mitigate these concerns, now is the time to do so.”
We're Here to Help
At Medcurity, we know you have a lot on your plate, and privacy and security can be a confusing and stressful addition to an already hectic schedule. That's why we designed the Medcurity platform to take the stress out of your SRA. With our all-in-one compliance platform, you can start your Security Risk Analysis today.
Want to make sure you’re following cybersecurity best practices? Here is Pino’s list of strategies:
- “Maintaining offline, encrypted backups of data and regularly test your backups;
- Conducting regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface;
- Regular patches and updates of software and Operating Systems; and
- Training your employees regarding phishing and other common IT attacks."
Pino included several resources for providers in the rest of her post, which you can find here.
If you want to learn more about the Medcurity platform, or have questions about data privacy and security, contact our team.