New HHS Cybersecurity Guidelines to Protect PHI

The HHS has published new guidelines for healthcare organizations to improve the protection of the PHI they maintain. In these new guidelines, the HHS will help healthcare organizations to develop a more comprehensive cyber posture. This includes increasing the overall strength of an organization’s cybersecurity, developing protocols for predicting and preventing cyber threats, and improving the ability of the organization to continue operations while responding to cyber threats. A significant portion of breaches of unsecured electronic Protected Health Information are the result of cyberattacks. The HHS has contended that a large percentage of those breaches could have been prevented had the organization been fully compliant with the HIPAA Security Rule. For organizations to comply with the HIPAA Security Rule, they are required to implement the appropriate safeguards. Implementing these safeguards will ensure the confidentiality, integrity, and availability of an organization’s ePHI. 

The HHS outlines several steps an organization can take to improve their cyber posture. These steps include conducting regular security posture assessments, consistently monitoring networks and software for vulnerabilities, defining which sections of the organization manage what risks and designating managers to oversee specific risks, frequently analyzing gaps in security controls, defining key security metrics, and creating an incident response plan and a disaster recovery plan. Among the guidelines is a set of best practices which the HHS recommends healthcare organizations to take. Some of the recommended practices are to ensure there is adequate preparation to respond if an intrusion occurs, maximize resilience to cyber attacks, reduce the likelihood of damaging cyber intrusions, and to implement steps in order to swiftly detect a potential intrusion.

There are several steps organizations can take to reduce the likelihood of an exposure of ePHI. These steps include implementing multi-factor authentication to an organization’s network, regularly updating software to address vulnerabilities, and ensuring all IT personnel have disabled all ports and protocols that are not essential for business purposes. The HHS notes the importance of a fully comprehensive risk assessment. Risk assessments help organizations identify threat sources, events, and vulnerabilities, determine the likelihood of exploitation, determine the probable impact of a risk, and calculate risk as a combination of likelihood and impact. The HHS has recently updated their Security Risk Assessment Tool which can help healthcare organizations to develop security risk assessments. 

An organization can garner several benefits when strengthening their cyber posture including competent protection against unauthorized access, loss or deletion, prevention against fraud and abuse, prevention of cyber espionage, and improved customer confidence in the organization. Organizations should follow the guidelines for cybersecurity set by the HHS in order to see these benefits.