OCR Marks Cybersecurity Awareness Month

|
By: Melanie Fontes Rainer, Director for Office for Civil Rights (OCR)
Summary:
OCR marks October as Cybersecurity Awareness Month and highlights major trends and available resources for the health care sector.

In October 2004, Cybersecurity Awareness Month was first established as a collaboration between industry and government to bring attention to the growing cybersecurity threats and challenges that all individuals and organizations face. These threats to electronic protected health information have only grown in the succeeding years.

Every year, the HHS Office for Civil Rights (OCR) receives large breach reports from covered entities (health plans, health care clearinghouses, and most health care providers) or their business associates reporting breaches of unsecured protected health information that affect 500 or more individuals. From 2019 to 2023, the large breach reports received involving hacking have increased 89%, and those involving ransomware have increased 102%. The number of people affected annually from these large breaches is also increasing. For the same time-period, the number of individuals affected increased 262%. These trends are expected to continue into the foreseeable future. With this knowledge, the health care sector must increase their efforts to protect electronic health records from cyber-attackers and thieves.

This year, OCR is engaging in many varied activities to support Cybersecurity Awareness Month, and to improve the health care sector’s cybersecurity year-round. Effective cybersecurity means, at a minimum, complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This month’s activities are designed to help covered entities and business associates improve their HIPAA compliance and better protect individuals’ health records.

  • Newsletter on Social Engineering: Social engineering attacks are designed to manipulate individuals into revealing information that can be used to attack an information system. This newsletter discusses common social engineering threats—such as phishing, smishing, baiting, and deepfakes—and how individuals and HIPAA regulated entities can defend against them. Coming soon.
  • Video on Ransomware and the HIPAA Security Rule: Ransomware is one of the most common forms of cyberattacks and types of large breaches reported to OCR. This video reviews the trends OCR is seeing related to hacking and ransomware attacks; identifies common types of ransomware; discusses methods to prevent, detect, respond to, and recover from ransomware and related HIPAA Security Rule provisions; and provides cybersecurity resources to help organizations combat ransomware.
  • OCR NIST Cybersecurity Conference: On October 23 and 24, 2024, OCR and NIST are hosting a cybersecurity conference that explores the current healthcare cybersecurity landscape and the HIPAA Security Rule. The conference will offer sessions that explore best practices in managing risks and the technical assurance of electronic protected health information. Presentations will cover a variety of topics including managing cybersecurity risk and implementing practical cybersecurity solutions, understanding current cybersecurity threats to the healthcare community, cybersecurity considerations for the Internet of Things (IoT) in healthcare environments, updates from federal agencies involved in healthcare cybersecurity, and more.

Although conference in-person attendance capacity has been met, registration for virtual attendance remains open. Please visit the event web page for more details and to register for virtual attendance.

This year, OCR has announced the resolution of 5 HIPAA Security Rule/Cybersecurity enforcement actions with settlements or civil money penalties.

  • Montefiore Medical Center. A malicious insider stole protected health information of over 12,000 patients and sold it to an identity theft ring. The regulated entity entered into a resolution agreement and corrective action plan for $4.75 million and 2 to implement measures to comply with the HIPAA Security Rule.
  • Green Ridge Behavioral Health, LLC. This settlement was OCR’s 2nd ransomware enforcement action of the year. A ransomware attack affected over 14,000 patients’ protected health information. The entity agreed to settle the investigation for $40,000 and implement a corrective action plan that will be monitored by OCR for 3 years.
  • Heritage Valley Health System. This settlement was OCR’s 3rd ransomware enforcement action in 2024.  The entity settled the investigation for $950,000 and agreed to a corrective action plan that will be monitored by OCR for 3 years.
  • Cascade Eye and Skin Centers, P.C. This settlement was OCR’s 4th ransomware enforcement action. The entity settled the investigation for $250,000 and agreed to a corrective action plan that will be monitored by OCR for 2 years.
  • Providence Medical Institute. OCR’s 5th ransomware enforcement action this year resulted in an imposition of a $240,000 civil monetary penalty. A series of ransomware attacks resulted in breaches affecting 85,000 patients’ protected health information.

We encourage your efforts to keep your organization in compliance with HIPAA, and part of that effort is having strong cybersecurity measures. Stay tuned for future OCR announcements in support of HIPAA and cybersecurity, including OCR’s plans to publish proposed modifications to the HIPAA Security Rule later this year, and please make use of our free cybersecurity resources.

Additional Resources:


Posted In:
HIPAA

Subscribe to RSS

Receive latest updates

Subscribe to our RSS

Related Blog Posts