Transcript
This transcript has been edited and refined for clarity.
Marianne McGee: Hi, I'm Marianne Kolbasuk McGee, executive editor at Information Security Media Group. And I'm here at the HIMMS Cyber Forum in Boston speaking with Nick Heesters, who is senior adviser for cybersecurity at the Department of Health and Human Services' Office for Civil Rights. Hi, Nick.
Nick Heesters: Hi, Marianne, how are you this afternoon?
McGee: Good. Thanks so much for doing this. So Nick, as HHS OCR gets thousands of HIPAA complaints and hundreds of breach notices or breach reports, so for this year, what are some of the main trends that you're seeing? And what's changing that healthcare sector covered entities and business associates should be paying more attention to? I know, hackings been an issue for a while; there's been a push for the right of access. When it comes to complaints, anything new that you're seeing?
Heesters: I think there was just more of the same. And I think that here at HIMMS in Boston, they had some good discussions. I've talked about some of those trends. I think we had someone that talked about the secure file transfer issues. Those have resulted in a lot of breaches. And there was someone who talked about the malicious chain that's typical in a hacking attack, phishing being initial vector to come in, getting a toehold in the system through some type of malware drop, being able to somehow escalate privileges and getting some kind of domain admin rights, moving laterally within that system, without major obstructions, looking for source of information, exfiltrated information, removing backups, deploying ransomware, deploying backdoors to come back in later, that was described as something that's fairly common by one of the speakers who is the CISO of a health system. And that's what we see over and over again, in OCR as well. So we can emphasize that is the continued chain of attack that we see that is fairly common.
McGee: So you mentioned the secure file transfer software companies. Progress Software had a vulnerability that was exploited. You had Fortra earlier this year. And we see breaches still being reported, involving PACS, in healthcare sector entities involving those products. Are those vendors among the biggest business associates breaches you have seen this year because I know, in the past, we've seen other large vendor breaches that resulted in a lot of covered entities reporting breaches and large breaches. But does that seem to be some of the dominant things you're seeing in terms of the business associates this year so far?
Heesters: Breaches that have been related to MOVEit, in particular, more recently, in the past year, those have been several breaches affecting a fairly large number of individuals per report. But more generally, the trend: if you have a business associate that specifically caters to the healthcare industry, you're going to have healthcare clients. If there is a breach at that business associate, there is certainly the possibility that you're going to have multiple healthcare clients be a part of that breach, have their health information for multiple clients be a part of breach, and those breaches may in fact be larger because of that particular business model.
McGee: And now, HHS OCR also has various rulemaking in the works, including the HIPAA Privacy Rule proposals related to enhancing protections over reproductive health information. And there's also other rulemaking that's in the works. How soon might we see a final rule for the reproductive health information proposals, and what else should we be watching for in the near term?
Heesters: For as far as rulemaking activity, I'd refer folks to the Federal Register and what the current status is there. I don't have a comment on this, any particular days for those.
McGee: And now HHS OCR and the Federal Trade Commission have both been repeatedly warning the healthcare sector about the risk in using online tracking tools, such as Meta Pixel and Google Analytics, saying that those web trackers could be in violation of HIPAA and FTC regulations depending on how they're used because they disclose to third parties, consumer and patient health information and other identifiers that the individuals might not be aware of. And HHS OCR and FTC recently sent 130 letters to organizations specifically telling them they should be reviewing how they're using these web trackers. And just a few days ago, HHS OCR and FTC made public the letters that were sent out to the 130 organizations. When it comes to the onlookers, the companies out there who did not receive one of these letters, but they're using web trackers, if it's a HIPAA-covered entity, what should they be thinking right now? What should they be doing? Should they be going back and checking to see if they're using web trackers? And if so, how?
Heesters: I think that's right. So I think our bulletin made clear that entities that are going to be using online tracking technologies need to understand what those are doing in our environments. If HIPAA obligations apply, to ensure that they are complying with the HIPAA rules in their use of those web tracking technologies. And, between the guidance, and then with the joint letter of the FTC, we make people understand that this could implicate HIPAA, and highlight that the HIPAA rules may apply in situations. So if an entity that deploys online tracking devices or technologies, that if they did not look at that through the lens of potential HIPAA obligations, that they should do so.
McGee: So in terms of the 130 organizations that did receive letters, how were they chosen? Were they kind of in some incidents? A few of these covered entities had previously reported breaches to HHS OCR related to their previous use of web trackers, but then there was a long list of other companies that kind of seemed random. Have HHS OCR and FTC received complaints about certain companies? Do either of the agencies have scanning tools to see how these web trackers might be used by some covered entities and regulated organizations? How did you'll zero in on who to warn?
Heesters: I was not involved in our process of identifying at least to send letters to so I don't know the methodology under which they were chosen.
McGee: And as in terms of enforcement actions, we've seen some from the FTC - there's been at least a handful, maybe two or three so far. And HHS OCR has previously said that it is actively investigating these cases involving web trackers. Any sense of when we might see an enforcement action from HHS OCR?
Heesters: No particular dates on when we may see some type of published enforcement action. But you're correct. There are web tracking issues that we are investigating.
McGee: Has HHS OCR given technical assistance to organizations at this point that have been using web trackers perhaps in a potentially non-compliant way, but it is trying to help them not to do that?
Heesters: I'm not sure of where particular investigations are on a case-by-case basis. So, I will certainly think that's a possibility, but I would not know if that had happened yet or had already happened. So I can't comment.
McGee: And in terms of guidance, any forthcoming topics of guidance that we should be watching for from HHS OCR at this point of the year, or looking into next year for that matter?
Heesters: OCR is always looking for opportunities to provide guidance on compliance with the HIPAA rules to our regulated community members. So we're looking at different areas to explore based on what current trends are, what cybersecurity issues and breaches and the best way to approach that, and in communicating better ways to comply with HIPAA. What we do have coming out is the new version of the Security Risk Assessment tool. It's going to be version 3.4. It's going to have several enhancements. One of the things that's been talked about here at HIMMS is the new version of HICP, the health industry's cybersecurity practices, that has been updated for 2023. The SRA tool had references to the prior version of HICP and the free version. So one of the enhancements is to update those references to refer to those new 2023 edition practices.
McGee: And when it comes to investigations into breaches that are reported to HHS, and the so-called recognized security practices that these entities should be following and if they are that will be taken into consideration by HHS OCR. In terms of potential enforcement, how are you'll incorporating this into the investigations at this point? When you kind of look to see if there's a checklist of different things that these organizations do between like risk assessment or risk analysis and how comprehensive this risk analysis is? How timely they are? How are you incorporating HICP and other recognized security practices when you do these investigations or reviews of entities that report breaches?
Heesters: Well, the recognized security practices of which HICP is one of the recognized practices are entirely voluntary. So if an entity is not meeting the measure of implementing the HICP cybersecurity practices or implementing this type of security framework, there is not going to be a penalty from an OCR perspective. So OCR enforces the HIPAA rules. We look at the recognized security practices. If we're presented with those, if anyone wants us to see if they have implemented them, if they can demonstrate that they've implemented them for the previous 12 months. And as you said, that's something that we may take in consideration for potential mitigation of penalties. But as far as most of our regulatory obligations, we enforce HIPAA rules, so you wouldn't receive a violation for not implementing HICP but as far as if you are able to demonstrate compliance with HIPAA rules that could lead to tons of violations.
McGee: And finally, in terms of anything else that we should be looking for to come from HHS OCR this year or in the coming months, anything that we should be looking for?
Heesters: I can't think of too much. I guess the one thing let me just refer back to. We are having the 3.4 release of the Security Risk Assessment tool. And I believe there's going to be a couple of webinars coming up on that to discuss the new enhancements and the use of that tool. So if your listeners are a member of or they have signed up for the OCR listserv, they would have gotten notification of that and they can register for one of those sessions if they wish.
McGee: Great. Thank you so much, Nick. I've been speaking to Nick Heesters of HHS OCR. I'm Marianne Kolbasuk McGee of Information Security Media Group. Thanks for joining us.