In an exclusive interview, Roger Severino, director of the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, spells out critical steps healthcare organizations must take to safeguard patient information and ensure patient safety in light of the surge in ransomware and other hacking incidents.
“We’re seeing a growth of advanced persistent threats where hackers will infiltrate, usually through phishing, to get credentials and get their foot through the door in one area of a covered entity’s systems,” he says in an in-depth interview with Information Security Media Group.
Then the hackers will “attempt to learn everything they can about the access they gained to see if they can leverage that to jump to a more secure area of the system,” he says.
Given that hackers can reside on a network for months or even years, Severino says, it’s essential to have “proper audits and logs to have visibility into your system.”
Severino says OCR is ramping up enforcement of compliance with HIPAA provisions regarding a patient’s right to easily access a copy of all their medical information from multiple sources because if some information, such as a diagnosis or a medication list, is unavailable, it could lead to serious patient safety issues.
He also points out that when healthcare organizations have relationships with third parties that are acting on their behalf, they must have appropriate business associate agreements “so that the chain of custody of that protected health information remains secure so that there is no weak link in the chain because there is far too much at stake.”
In this interview (see audio link below photo), Severino also discusses:
Before joining HHS OCR, Severino served as director of the DeVos Center for Religion and Civil Society at The Heritage Foundation. Prior to that, Severino was a trial attorney in the Department of Justice’s Civil Rights Division.