OCR Delivers Annual Report to Congress

2021 HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information reports were made by HHS/OCR to Congress, providing data on the numbers of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.

Notably, hacking defenses were highlighted, including:

• risk analysis and risk management

• information system activity review

• audit controls; and

• access controls.

Given that hacking / cybersecurity incidents has overtaken "the old lost thumb drive" story of 10 years ago, each of the four areas represent exactly where organizations should point their focus. Understanding risks helps align spending priorities. System activity review should be alive everywhere (think an MSP with a SOC monitoring your network 24 x 7 x 365). Audits should be performed on any anomalous behavior (e.g. failed logins, inappropriate PHI access, etc.) and access controls should implement stronger safeguards including multi-factor authentication anywhere possible.

HHS reports that hacking now accounts for 75% of breaches affecting more than 500 patients. I doubt anyone working information services disagrees (gone phishing lately, anyone?). Open the hyperlinks above to read the reports and use the information to educate your organization's leadership and promote your program.

Stay (HIPAA) safe, Alan -