February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

OCR Publishes Recommendations to Prepare for Cybersecurity Threats

The Department of Health and Human Services Office of Civil Rights (OCR) Spring 2019 Cybersecurity Newsletter includes new recommendations regarding how HIPAA covered entities can prepare to defend against cybersecurity attacks such as advanced persistent threats (APTs) and zero-day vulnerabilities. These cybersecurity threats were used by hackers in the global WannaCry ransomware cyberattack, which severely impacted the United Kingdom’s National Health Service and several United States HIPAA-covered entities and business associates in May 2017.

According to the National Institute of Standards and Technology (NIST), an APT “is a long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target’s information systems to steal information or disrupt the target’s operations.”[1] APT attacks may not be as sophisticated as other hacking attacks, but the persistence of the attack and the capability for the attacker to change tactics to avoid detection makes APTs formidable threats to health care organizations. Health care data is particularly valuable to hackers who can use the information to blackmail an individual and compromise the confidentiality, integrity, or availability of the affected individuals’ protected health information. 

Zero-day exploits are cybersecurity attacks which attempt to exploit unknown hardware, firmware, or software vulnerability. Through research and probing, hackers can discover zero-day exploits in antivirus software and take advantage of the lag time between the discovery of the vulnerability and the availability and/or implementation of the software patch or update. OCR states that these attacks are especially dangerous because their unique nature makes them more difficult to detect than ordinary hacking attacks. OCR emphasizes that HIPAA covered entities must be diligent in monitoring their cybersecurity or antivirus software for any unusual activity or suspicious files. Moreover, HIPAA covered entities should consider adopting other protective measures such as encryption, access controls, or network access limitations to mitigate the potential impact of zero-day vulnerabilities until a patch or upgrade is available.

OCR recommends that HIPAA-covered entities and business associates implement the following security measures contained in the HIPAA Security Rule (specifically the security measures set forth at 45 CFR § 164.308 and 45 CFR § 164.312) to proactively mitigate or prevent the harm that an APT or zero-day attack may cause:

  • Conducting risk analyses to identify  risks and vulnerabilities;

  • Implementing a risk-management process to mitigate identified risks and vulnerabilities;

  • Regularly reviewing audit and system activity logs to identify abnormal or suspicious activity;

  • Implementing procedures to identify and respond to security incidents;

  • Establishing and periodically testing contingency plans including data backup and disaster recovery plans to ensure data is backed up and recoverable;

  • Implementing access controls to limit access to ePHI;

  • Encrypting ePHI, as appropriate, for data at rest and data in motion; and

  • Implementing a security awareness and training program, including periodic security reminders and education and awareness of implemented procedures concerning malicious software protection, for all workforce members.

The full Spring 2019 OCR Cybersecurity Newsletter is available here.

[1] Available here: https://csrc.nist.gov/publications/detail/sp/800-39/final.

© 2023 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume IX, Number 98

About this Author

Jennifer Mitchell, health care practice group partner, Dinsmore Shohl, law firm,

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness. 

Within the...

Jared Bruce, Dinsmore Law Firm, Cincinnati, Corporate and Health Care Law Attorney

Jared focuses his practice on various health care law matters, including regulatory compliance, transactional matters and cybersecurity.  His prior experience includes serving as in-house counsel for a large non-profit managed care plan.

He drafts and negotiates complex health care-related contracts involving information technology (software licenses and professional service agreements), provider agreements, data sharing agreements and Business Associate Agreements. Jared’s practice includes advising payers, hospitals and providers on compliance...