Are you ready for 2022-2023 privacy and cybersecurity challenges, legal requirements and other updates? Here are key trends, regulatory enforcement, and other regulatory actions seen in 2022 and upcoming for 2023.
Ransomware
Ransomware continues to be the major concern for HIPAA-regulated entities.. According to a report published by Sophos, based on a survey of 5600 healthcare organizations with at least 100 employees, 66% indicated that their organization had experienced a ransomware incident affecting 1 or more devices. 67% of respondents indicated that the complexity of the attacks have increased. 99% of respondents got some encrypted data back. 61% of respondents said that they paid a ransom. The average ransomware payment reported was $197K. Eagle’s recommendation is to ensure that you perform a regular risk assessment to identify controls to help prevent attacks from occurring, to reduce the impact if they do occur, and to support rapid recovery after an attack.
CyberLiability Insurance Changes Driving Enhancements
After experiencing significant financial losses in 2020 and 2021, during 2022 cyber-liability insurance carriers began tightening underwriting standards, reducing coverage amounts for certain types of losses, and increasing premiums. Organizations have witnessed detailed security questionnaires and are told that certain high-priority controls, such as 2-Factor Authentication and protections of their backups, are mandatory to obtain coverage. In some cases organizations have needed to solicit additional quotations after receiving denials from their previous carrier. Eagle’s input is to begin its renewal process promptly.
HIPAA Enforcement Primarily from Right of Access Initiative
HHS has focused its enforcement efforts primarily on its “Right of Access Initiative”. HIPAA-regulated organizations are required to provide copies of medical records within 60 days. During 2020 and 2021, HHS has announced financial settlements with 22 organizations who have failed to provide patients timely access to their records. These settlement amounts have varied between $3500 and $240,000. The big lesson here: promptly respond to any patient or subscriber request for information, and deliver the information electronically whenever asked!
Potential Modifications to the HIPAA Regulations
In January 2021, the Department of HHS announced its effort to update the HIPAA regulations. They issued a request for information (RFI) with a focus on two areas: 1) Identifying recommended security practices so that they can determine fines and other remedies after investigations, compliance reviews, and audits, and 2) Evaluating whether to share Civil Monetary Penalties and/or settlement monies with individuals who are harmed. As of October 2022 there has been no proposed rule, but we anticipate that HHS is drafting potential changes. Of course, it is important to monitor regulatory developments and update policies and procedures accordingly.
Work From Home and 2022-2023 Privacy and Cybersecurity
Beginning with COVID-19, a major shift towards work-from-home has taken place. This in turn has driven the adoption of new technologies to support and manage at-home workers. Tools such as “Cloud Access Security Brokers” and the “Zero-Trust” philosophy have driven the response to this trend.
Privacy Regulations
While HIPAA-regulated entities have had the HIPAA Privacy rule for 20 years now, over the last couple of years there have been state privacy regulations introduced in California, Colorado, Virginia, and Utah. More states are considering regulations. As a result, we have the greatest possibility for new federal regulations affecting privacy. This year we have the American Data Privacy and Protection Act introduced in the House of Representatives in June 2022. This may exempt patient data, but would likely apply to employee, vendor, and other personally identifiable information (PII) maintained by HIPAA-regulated entities.
Eagle is pleased to offer a number of proactive services to help you meet your 2022-2023 privacy and cybersecurity challenges. If you haven’t completed a risk assessment, that is a good place to start. Often privacy and security policies will require update. Top controls to evaluate include security awareness training and enhancements to the backup regimen.