OCR’s recent focus on cybersecurity in the health care sector sends a clear message to HIPAA covered entities and business associates: OCR expects you to implement security measures that address known threats to ePHI that are evidenced by the sharp uptick in cyber hacking incidents. To that end, recent guidance published by OCR provides some key insights on what specific security measures OCR may consider reasonable and appropriate to address those known and evolving threats to ePHI.
This post summarizes that guidance and outlines some key practical takeaways.
Recent OCR Guidance on Cybersecurity
In the wake of the revelation of the “Log4j” vulnerability, OCR Director Lisa Pino published a blog post at the end of February challenging HIPAA covered entities and business associates to “strengthen your organization’s cyber posture in 2022.” Pino noted some best practices for HIPAA covered entities and business associates, including:
- encryption of backups,
- frequent vulnerability scanning,
- regular patching of software and operating systems, and
- training employees on phishing and other common IT attacks.
She also pointed out several areas of compliance with…
