The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) currently focuses its enforcement initiative on implementing the risk analysis requirements of the Security Management Standard under the HIPAA Security Law. OCR recently issued the first enforcement action following that initiative, which involved Bryan County Ambulance Authority in Oklahoma paying a $90,000 settlement.
Observing the HIPAA Guidelines, particularly the HIPAA Security Rule compliance, is OCR’s priority. OCR likes helping HIPAA-covered entities comply with the HIPAA Security Rule. One way OCR does this is through its Security Risk Assessment (SRA) Tool. OCR and the Assistant Secretary for Technology Policy (ASTP) released a new version of the tool last week.
The healthcare and public health sector still encounter hacking incidents and ransomware attacks. However, in most cases, the attacks are avoidable by performing a detailed and precise risk analysis and dealing with the discovered risks. Many OCR investigations of big data breaches have discovered failures in risk analysis, which include not conducting a risk analysis and not doing detailed and precise risk analyses. Because of these issues, risks, and vulnerabilities were not discovered and resolved. Hackers exploited the risks and vulnerabilities to get access to healthcare systems and patient information.
The SRA Tool guides covered entities to answer multiple-choice questions to help determine risks and vulnerabilities before malicious actors could exploit them. The updated version of the SRA tool, mainly created for small and medium HIPAA-covered entities, comes with a few improvements based on suggestions from end users and the most recent cybersecurity guidance. The new tool includes different and improved guidance and directions, new information on determining supply chain risks, and upgraded information on dealing with risks and vulnerabilities. The updated content replaces NIST Cybersecurity Framework (CSF) 1.1 references with NIST CSF 2.0 references, which include the Healthcare and Public Health (HPH) Cybersecurity Performance Goals. The OCR is telling all HIPAA-covered entities to follow the updated content. The updated version of the SRA desktop app can be downloaded from the HHS website.