For nearly a year, Lisa J. Pino has served as Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Ten months in, she has steadily begun to refocus the healthcare industry on the importance of comprehensive cybersecurity. This focus includes promoting annual risk assessments by healthcare organizations as well as adherence to other security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA).
Unlike previous OCR directors, Pino acquired cybersecurity and data breach experience during her service as senior counselor in the U.S. Department of Homeland Security (DHS). At DHS, Pino directed the mitigation of a 2015 U.S. data breach that affected four million federal personnel and some 22 million surrogate profiles—the largest hack in federal history at the time. Her mitigation tactics included establishing new cybersecurity regulatory protections and renegotiating 700 vendor procurements.
Immediately prior to her OCR appointment, Pino served as Executive Deputy Commissioner for the New York State Department of Health, a role in which she led the state’s operational response to the pandemic. Pino is a New York City native, fluent in Spanish, first-generation daughter of immigrant parents, and the first college graduate in her family. She holds Bachelor’s, Master’s, and Juris Doctor degrees from the Sandra Day O’Connor College of Law at Arizona State University.
In her first public communique, posted on the HHS.gov blog on February 28, 2022, Pino summarized her commitment to improving cybersecurity in healthcare. Citing ongoing cyberattacks, compounded by the prevalence of unpatched software, exploitable JavaScript and other vulnerabilities, the OCR Director “call(ed) on covered entities and business associates to strengthen your organization’s cyber posture in 2022.”
“I cannot underscore enough the importance of enterprise-wide risk analysis,” she said, adding, “Risk management strategies need to be comprehensive in scope.”
In her communication, the OCR Director spelled out several fundamental best practices for improving cybersecurity in the healthcare industry. She also offered online resources for use by healthcare organizations in reducing their attack surfaces and strengthening their cybersecurity programs.
Among the security best practices cited by Pino:
This advice should not be new to any healthcare provider or healthcare plan/insurer, large or small. These are basic tactics that have proven effective in identifying security gaps, reducing vulnerabilities, and developing more robust cybersecurity.
Pino’s repeated use of the word “regularly” to describe these security best practices is also no accident.
As part of the renewed focus on hardening cybersecurity in healthcare, the OCR Director is emphatic about the importance of security risk assessments, citing a “continued need for regulated entities to improve compliance with the HIPAA Security Rule standards … and implementation specifications.”
Particular emphasis is placed on risk analysis and risk management, information system activity review, audit controls, security awareness and training, and authentication.
In support of this renewed focus, guidance from HHS OCR is very clear as to security requirements of the HIPAA Security Rule. The guidance notes that the Security Management Process standard in 45 CFR § 164.308(a)(1) “requires organizations to implement policies and procedures to prevent, detect, contain, and correct security violations. Risk analysis is one of four required implementation specifications” that support this standard.
Per the Security Rule at 45 CFR § 164.306(a), the required risk analysis should encompass the potential risks to and vulnerabilities of the confidentiality, integrity, and availability of all e-PHI that is created, received, maintained, or transmitted by a healthcare organization.
This includes “e-PHI in all forms of electronic media” regardless of their source or location, and whether attached to “a single workstation or a complex network between multiple locations.” Or, in Lisa Pino’s own words, all ePHI “across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”
The HHS OCR Security Rule guidance goes on to identify the eight elements or steps of a security risk assessment. For your convenience, following is a summary of each step described in the HHS OCR guidance at the link above:
Any risk assessment conducted by or on behalf of a healthcare organization must include these components in order to comply with the HIPAA Security Rule.
There’s a new sheriff in town, and Lisa Pino is emphatic about healthcare entities improving their cybersecurity postures in 2022 and beyond. The new Director of the HHS Office for Civil Rights has experience in cybersecurity and data breach mitigation.
She has already expressed concern that the same compliance issues keep cropping up, despite the fact that they have been “identified as areas needing improvement” during previous OCR data breach investigations.
Citing ongoing data breaches and security incidents as the basis for a renewed OCR focus on compliance, Pino has vowed to continue the “important work leading HHS’s enforcement of the HIPAA Privacy, Security, and Breach Notification Rules.” Her stated intention is to drive improvements in cybersecurity and patient privacy across the healthcare industry, and she seems well-prepared to step up the pace of compliance. Healthcare organizations of all types should take notice.