cybersecurity newsletter, hipaa security rule, cybersecurity

OCR Cybersecurity Guidance: Defending Against Common Cyberattacks


Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) releases a quarterly cybersecurity newsletter to provide guidance on current threats and how to mitigate them. The most recent OCR cybersecurity newsletter, released in late March 2022, identified hacking as the biggest concern for healthcare organizations. Healthcare organizations can best prevent cyberattacks by following HIPAA security rules.

One of healthcare organizations’ most significant challenges when implementing security measures is unclear guidance on effectively implementing them. In early 2021, a cybersecurity best practices bill, HR 7898, was passed to incentivize healthcare organizations that implement recognized cybersecurity frameworks. However, the bill still does not provide clear guidance, which is why the OCR has issued a Request for Information (RFI). The RFI seeks public comment on how covered entities and business associates implement recognized security practices. OCR is seeking comments to inform potential future guidance on implementing these practices.

OCR Cybersecurity Newsletter: Cyberattacks and Cybersecurity Best Practices

The OCR Cybersecurity Newsletter highlighted three common cyberattacks that threaten healthcare organizations’ security – phishing, exploitation of known vulnerabilities, and taking advantage of weak authentication protocols. Each of these cyberattack methods can lead to the theft or loss of protected health information (PHI). However, organizations can prevent these cyberattacks by implementing HIPAA security rule requirements.

Preventing Phishing

The HIPAA Security Rule guides how to prevent and respond to phishing, including:

  • Comprehensive security awareness and training program for all staff
  • Implement protocol on what to do when attacks or suspected attacks occur
  • Send periodic security reminders, such as simulated phishing emails, to gauge the effectiveness of the training program
  • Offer additional, targeted training where necessary
  • Implement anti-phishing technologies
  • Implement policies and procedures to protect ePHI from improper alteration or destruction
  • Assess and reduce risks and vulnerabilities to ePHI by performing a risk analysis.

Preventing the Exploitation of Known Vulnerabilities

To prevent the exploitation of known vulnerabilities, healthcare organizations must stay aware of announcements of software vulnerabilities that may affect them. When software providers identify a vulnerability, they generally provide a fix with a patch or update. However, in doing so, hackers also become aware of vulnerabilities and exploit them to gain access to sensitive information. The potential for hacker exploitation is why it is essential to install patches and updates as soon as they become available.

Preventing Weak Authentication Protocols

Weak authentication requirements, including weak password rules, single-factor authentication, and lack of access controls, can give an attacker easy access. Once an attacker has found a way in, the attacker can then access privileged accounts, deploy malware, and remove data. Healthcare organizations must implement policies and procedures for strong passwords, user authentication, and access controls with role-based access. See’s article Passwords & Endpoint Security 101: Basic Cybersecurity to Prevent Healthcare Data Breaches for more guidance.

OCR Seeks Comment on HR 7898

In January 2021, HR 7898, nicknamed the Cybersecurity Best Practices bill, was signed into law. Under this law, HHS OCR must consider whether an entity used recognized cybersecurity best practices in the year preceding a violation when deciding whether to penalize the organization.

In April 2022, OCR issued a public Request for Information (RFI).

The RFI seeks public comment on three areas:

  1. How are covered entities and business associates implementing “recognized security practices”?
  2. How do covered entities and business associates demonstrate that recognized security practices are in place?
  3. Are there any implementation issues covered entities and business associates would like OCR to clarify through future guidance or rulemaking?

HHS seeks public comment since several aspects of HIPAA data security best practices are unclear. Comments must be submitted to HHS by June 6, 2022, to be considered.

This Article Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help!

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x