By the simple nature of their operations, human service organizations possess abundant amounts of protected personal information in electronic format. As confirmed by the U.S. Department of Health and Human Services (HHS), the threat posed to these records has never been higher.
With phishing, smishing, ransomware and other costly cyber-attacks on the rise, many government organizations and regulatory agencies – including the HHS, Office of Civil Rights (OCR), and Food and Drug Administration (FDA) – are developing updated cybersecurity guidance and laws.
This article will provide an overview of some of the recent key cybersecurity updates that health and human service organizations should be aware of.
Enhanced Focus on HIPAA Cybersecurity and Privacy
On February 27, 2023, the agency responsible for HIPAA enforcement, the HHS, announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division through the OCR.
This update comes after the OCR cited a 69 percent increase in complaints from 2017 to 2022. As of 2022, the OCR received 51,000 complaints— 27 percent alleged violations of civil rights, 7 percent alleged violations of conscience/religious freedom, and 66 percent alleged violations of health information privacy and security laws.
The newly created Enforcement Division, Policy Division, and Strategic Planning Division have been established to provide a more integrated operational structure for civil rights, conscience protections and privacy protections and cybersecurity protections.
New Guidance on Data Tracking Technologies
On December 1, 2022, the OCR issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies.
This new guidance addresses what a tracking technology is as well as how the HIPAA Rules apply to regulated entities’ use of tracking technologies in the following areas:
- Tracking on user-authenticated webpages
- Tracking on unauthenticated webpages
- Tracking within mobile apps
- HIPAA compliance obligations for regulated entities when using tracking technologies
FDA Policy on Cybersecurity in Medical Devices
Given the increased risk of cybersecurity threats to the healthcare sector, the U.S. Food & Drug Administration (FDA) has made it a requirement for medical devices to be secured against cyberattacks as of March 29, 2023.
Under this new guidance, all new medical device applicants must now follow the below steps to ensure security:
- Submit a plan on how to monitor, identify, and address cybersecurity issues
- Develop and maintain processes and procedures to provide reasonable assurance that the device is cybersecure
- Provide a software bull of materials
- Comply with all other requirements to ensure the device is cybersecure
Navigating the above cybersecurity updates can be complex and time consuming. If you need further guidance or have any questions, we’re here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.