Information security

HHS Calls for Stronger Protections for Electronic Protected Health Information

The Department of Health and Human Services has urged organizations regulated by the Health Insurance Portability and Accountability Act to step up their security for electronic protected health information.

In its cybersecurity newsletter, the HHS Office of Civil Rights said that many HIPAA-covered entities underappreciate the impact of their action or inaction on ePHI security.

While some attacks, including zero-day exploits, are difficult to defend against, most other cyberattacks can be mitigated by implementing HIPAA Security Rule requirements, OCR said.

The HIPAA Security Rule requires covered entities to implement appropriate administrative, physical and technical protections for ePHI.

OCR said that the Security Rule is designed to address common types of attacks such as phishing, the use of known vulnerabilities and the exploitation of weak authentication protocols.

Entities can mitigate phishing attacks by implementing security awareness and training programs for their workforce members. Such programs should be continuous and flexible enough to adapt to new cybersecurity threats, OCR said.

To address the exploitation of known vulnerabilities, HIPAA-covered organizations should conduct risk analyses of potential threats to ePHI confidentiality, integrity and availability, OCR added.

Lastly, the Security Rule requires entities to make PHI only accessible to those who need it. OCR advised entities to only ensure that privileged accounts, such as those of administrators, are not exploited for unauthorized access.

OCR emphasized the dangers of successful cyberattacks on ePHI, which can disrupt the delivery of health care services to patients. The number of ePHI breaches affecting at least 500 individuals increased by 45 percent between 2019 and 2020, the office reported.