There have been several recent regulatory updates related to cybersecurity in health care.
This article first appeared on our sister site Medical Economics.
Health and human service organizations possess an abundance of protected health information (PHI), by the simple nature of their operations. With phishing, smishing, ransomware, and other dangerous cyberattacks on the rise, the threat posed to these organizations has never been higher. As a result, many government agencies—including the U.S. Department of Health & Human Services (HHS), Office of Civil Rights (OCR), and U.S. Food and Drug Administration (FDA)—are developing updated cybersecurity guidance and laws.
The following represent several of the recent, key cybersecurity updates that are important for health and human service organizations to understand:
On February 27, 2023, the HHS announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division within the OCR. In addition, OCR also renamed its Health Information Policy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to better reflect the role cybersecurity plays in their operations.
As HHS’ law enforcement agency, OCR is responsible for enforcing 55 civil rights, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA); investigating complaints; conducting compliance reviews; developing policies; promoting regulations; providing technical assistance; and educating the public about federal civil rights, privacy, and conscience laws.
The OCR’s caseload has multiplied in recent years, with a 69% increase in complaints from 2017 to 2022. As of 2022, the OCR received 51,000 complaints—27% alleged violations of civil rights, 7% alleged violations of conscience/religious freedom, and 66% alleged violations of health information privacy and security laws. Furthermore, large breaches of unsecured protected health information (PHI) have increased in recent years, with hacking accounting for 80% of the breaches OCR has experienced.
This recent reorganization of the OCR has been established to provide a more integrated operational structure for civil rights, conscience protections, privacy protections, and cybersecurity protections.
On Dec. 1, 2022, the OCR issued a bulletin to highlight the obligations of HIPPA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies.
Tracking technologies are often used by organizations to collect and analyze information about user interactions with the organization’s websites, apps, etc. HIPPA’s Privacy, Security, and Breach Notification Rules apply when the information collected through tracking technologies includes PHI and prohibits the use of tracking technologies in a manner that would result in impermissible disclosures of PHI.
This new guidance addresses what a tracking technology is as well as how the HIPAA Rules apply to regulated entities’ use of tracking technologies in the following areas:
Given the increased risk of cybersecurity threats to the healthcare sector, the FDA issued an amendment to the Food, Drug, and Cosmetic Act to add section 524B, Ensuring Cybersecurity of Devices on Dec. 29, 2022.
As of March 29, 2023, this act now requires all new medical device applicants to follow the below steps to ensure cybersecurity:
Continuing Care Retirement Communities (CCRCs) are now regulated under the Gramm-Leach-Bliley Act (GLBA) cyber laws. This act requires organizations to safeguard sensitive data and explain their information-sharing practices to their customers.
In December 2021, the Federal Trade Commission (FTC) amended the standards for Safeguarding Customer Information. These cybersecurity requirements went into effect on June 9, 2023. This change impacts organizations using Title IV funds and could have other impacts as the definition of “covered entity” was greatly expanded.
The above represents only a brief overview of several recent cybersecurity updates impacting health and human service organizations. Thoroughly understanding and complying with these, and other applicable regulations, is key to mitigating the risk of dangerous and costly data breaches and cyberattacks. For assistance navigating these complex cybersecurity regulations, organizations should consider aligning with a trusted advisor who can offer tailored guidance specific to an organization.
Carl Cadregari is an executive vice president in the FoxPointe Solutions/Information Risk Management Division of The Bonadio Group. Carl has expertise in the areas of data privacy and cybersecurity controls, physical, administrative, and technical security, enterprise risk management, vendor management, and disaster recovery planning, having worked with companies across almost all vertical markets ranging in size from small businesses to multi-regional and multi-national organizations with thousands of employees.