For nearly a year, Lisa J. Pino has served as Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Ten months in, she has steadily begun to refocus the healthcare industry on the importance of comprehensive cybersecurity. This focus includes promoting annual risk assessments by healthcare organizations as well as adherence to other security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA).
“Prioritizing cybersecurity and patient privacy is of the utmost concern,” says Pino.
Unlike previous OCR directors, Pino acquired cybersecurity and data breach experience during her service as senior counselor in the U.S. Department of Homeland Security (DHS). At DHS, Pino directed the mitigation of a 2015 U.S. data breach that affected four million federal personnel and some 22 million surrogate profiles—the largest hack in federal history at the time. Her mitigation tactics included establishing new cybersecurity regulatory protections and renegotiating 700 vendor procurements.
Immediately prior to her OCR appointment, Pino served as Executive Deputy Commissioner for the New York State Department of Health, a role in which she led the state’s operational response to the pandemic. Pino is a New York City native, fluent in Spanish, first-generation daughter of immigrant parents, and the first college graduate in her family. She holds Bachelor’s, Master’s, and Juris Doctor degrees from the Sandra Day O’Connor College of Law at Arizona State University.
“Strengthen Your Cyber Posture in 2022”
“I cannot underscore enough the importance of enterprise-wide risk analysis,” she said, adding, “Risk management strategies need to be comprehensive in scope.”
Healthcare Entities Urged to Apply Security Best Practices
In her communication, the OCR Director spelled out several fundamental best practices for improving cybersecurity in the healthcare industry. She also offered online resources for use by healthcare organizations in reducing their attack surfaces and strengthening their cybersecurity programs.
Among the security best practices cited by Pino:
- Conduct scans regularly to identify and address vulnerabilities, especially on internet-facing devices
- Maintain encrypted backups of your data offline
- Test your backups regularly, and update them regularly
- Patch software and update operating systems regularly
- Train your employees to recognize phishing and other common scams to avoid being victimized.
This advice should not be new to any healthcare provider or healthcare plan/insurer, large or small. These are basic tactics that have proven effective in identifying security gaps, reducing vulnerabilities, and developing more robust cybersecurity.
Pino’s repeated use of the word “regularly” to describe these security best practices is also no accident.
Emphasis on HIPAA Requirement for Regular Risk Analysis
As part of the renewed focus on hardening cybersecurity in healthcare, the OCR Director is emphatic about the importance of security risk assessments, citing a “continued need for regulated entities to improve compliance with the HIPAA Security Rule standards … and implementation specifications.”
Particular emphasis is placed on risk analysis and risk management, information system activity review, audit controls, security awareness and training, and authentication.
In support of this renewed focus, guidance from HHS OCR is very clear as to security requirements of the HIPAA Security Rule. The guidance notes that the Security Management Process standard in 45 CFR § 164.308(a)(1) “requires organizations to implement policies and procedures to prevent, detect, contain, and correct security violations. Risk analysis is one of four required implementation specifications” that support this standard.
Per the Security Rule at 45 CFR § 164.306(a), the required risk analysis should encompass the potential risks to and vulnerabilities of the confidentiality, integrity, and availability of all e-PHI that is created, received, maintained, or transmitted by a healthcare organization.
This includes “e-PHI in all forms of electronic media” regardless of their source or location, and whether attached to “a single workstation or a complex network between multiple locations.” Or, in Lisa Pino’s own words, all ePHI “across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”
Required Elements of a Risk Analysis
The HHS OCR Security Rule guidance goes on to identify the eight elements or steps of a security risk assessment. For your convenience, following is a summary of each step described in the HHS OCR guidance at the link above:
- Collect and Document Data
- Identify where e-PHI is stored, received, maintained, or transmitted
- Document data gathered on e-PHI
- Identify and Document Potential Threats and Vulnerabilities
- Identify and document reasonably anticipated threats to e-PHI
- Identify different threats unique to your circumstances/environment
- Also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI
- Assess Current Security Measures
- Assess and document the security measures used to safeguard e-PHI
- Determine if security measures required by the Security Rule are already in place
- Determine if current security measures are configured and used properly
- Determine Likelihood of Threat Occurrence
- Document all threat and vulnerability combinations
- Estimate likelihood of each combination impacting the confidentiality, integrity, or availability of e-PHI
- Determine Potential Impact of Threat Occurrence
- Assess magnitude of potential impact from a threat triggering or exploiting a specific vulnerability
- Use qualitative methods, quantitative methods, or both, to estimate impact
- Document all potential impacts from occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, integrity, or availability of e-PHI
- Determine Level of Risk
- Assign risk levels for all threat and vulnerability combinations identified
- Document assigned risk levels
- List corrective actions to be performed to mitigate each risk level
- Finalize Documentation
- Risk analysis documentation is a direct input to the risk management process
- Documentation should be accurate, current, and complete
- The Security Rule does not specify documentation format
- Periodic Review and Updates to Risk Assessment
- Risk analysis process should be ongoing to enable an organization to update and document security measures “as needed” as required by Security Rule
- Frequency of analysis (annual, bi-annual, or tri-annual) may vary based on individual organization’s circumstances and environment
- Circumstances that should trigger a risk analysis update include data breach or other security incident, change in company ownership, turnover in key staff or management, plans to add new technology, and similar events
- Risk analysis update should determine if e-PHI will continue to be reasonably and appropriately protected in light of new circumstance(s)
- If existing security measures are not sufficient to protect against potential new risks, identify what additional security measures are needed.
Any risk assessment conducted by or on behalf of a healthcare organization must include these components in order to comply with the HIPAA Security Rule.
There’s a new sheriff in town, and Lisa Pino is emphatic about healthcare entities improving their cybersecurity postures in 2022 and beyond. The new Director of the HHS Office for Civil Rights has experience in cybersecurity and data breach mitigation.
She has already expressed concern that the same compliance issues keep cropping up, despite the fact that they have been “identified as areas needing improvement” during previous OCR data breach investigations.
Citing ongoing data breaches and security incidents as the basis for a renewed OCR focus on compliance, Pino has vowed to continue the “important work leading HHS’s enforcement of the HIPAA Privacy, Security, and Breach Notification Rules.” Her stated intention is to drive improvements in cybersecurity and patient privacy across the healthcare industry, and she seems well-prepared to step up the pace of compliance. Healthcare organizations of all types should take notice.