HIPAA Clicks

In the first of its 2026 quarterly cybersecurity newsletters, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) urged HIPAA-regulated entities to take steps to harden system security and make it more difficult for hackers to gain access to their networks and sensitive patient and health plan member data.

The HIPAA Security Rule requires HIPAA-regulated entities to ensure the confidentiality, integrity, and availability of electronic protected health information that the regulated entity creates, receives, maintains, or transmits, which must include identifying risks and vulnerabilities to ePHI and taking timely action to reduce those risks and vulnerabilities to a low and acceptable level. OCR Director Paula Stannard has already stated this year that OCR will be looking closely at HIPAA Security Rule compliance. OCR will continue with its risk analysis enforcement initiative, which will evolve to include risk management to ensure that regulated entities are taking prompt action to reduce risks and vulnerabilities to ePHI identified by their risk analyses.

OCR explained in the newsletter that risks can be reduced by creating a set of standardized security controls and settings for different types of electronic information systems, addressing security weaknesses and vulnerabilities, and customizing electronic information systems to reduce the attack surface.

OCR reminded medical device manufacturers that they have an obligation to ensure that their devices include accurate labelling to allow users to take steps to ensure the security of the devices throughout the product lifecycle, and the importance of following Food and Drug Administration (FDA) guidance on security risk management, security architecture, and security testing. Healthcare providers need to read the labelling on their devices carefully and ensure they understand how the devices should be configured to remain safe and effective through the entire product lifecycle.

OCR highlighted three key areas for hardening system security, all of which are vital for HIPAA Security Rule compliance. Threat actors search for known vulnerabilities that can be exploited to gain a foothold in a network, including vulnerabilities in operating systems, software, and device firmware. Whether the device is brand new or has been in use for some time, patches must be applied to fix known vulnerabilities. It may not be possible to patch vulnerabilities as soon as they are discovered; however, other remedial actions should be taken, as recommended by vendors, to reduce the risk of exploitation until patches are released and can be applied. A comprehensive and accurate IT asset inventory should be maintained, and policies and procedures developed and implemented to ensure a good patching cadence for all operating systems, software, and devices.

All organizations should take steps to reduce the attack surface by removing unnecessary software and devices, including software and devices that are no longer used, software features included in operating systems that serve no purpose for the regulated entity, and generic and service accounts created during the installation process. Accounts created during installation may have default passwords, which must be changed. OCR explained that in many of its investigations, accounts have been found for well-known databases, networking software, and anti-malware solutions that still have default passwords that provide privileged access.

Many cyberattacks occur as a result of misconfigurations. HIPAA-regulated entities must ensure security measures are installed, enabled, and properly configured. “Security measures often found in operating systems, as well as some other software, intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as, for example, access controls, encryption, audit controls, and authentication,” explained OCR. “A regulated entity’s risk analysis and risk management plan can inform its decisions regarding the implementation of these and other security measures.”

As OCR will be scrutinizing risk management and has advised regulated entities of their responsibilities to harden system security, all regulated entities should ensure they take the advice on board. “Defining, creating, and applying system hardening techniques is not a one-and-done exercise,” explained OCR. “Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time,” and is essential for HIPAA Security Rule compliance.

The post OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security appeared first on The HIPAA Journal.

HIPAA Clicks

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information

OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security

MethodHub Achieves HIPAA Certification, Strengthening Its Commitment to Healthcare Data Security – progress-index.com

Darcelle Skeete Burgess named director of HIPAA Privacy Office at Vanderbilt Health – The Tennessee Tribune

Compliance alert: Are you ready for the Part 2 deadline? – apaservices.org

MethodHub Achieves HIPAA Certification, Strengthening Its Commitment to Healthcare Data Security – The Desert Sun

MethodHub Achieves HIPAA Certification, Strengthening Its Commitment to Healthcare Data Security – Columbia Daily Tribune

MethodHub Achieves HIPAA Certification, Strengthening Its Commitment to Healthcare Data Security – The Des Moines Register

MethodHub Achieves HIPAA Certification, Strengthening Its Commitment to Healthcare Data Security – Knoxville News Sentinel

EPIC Report Exposes Health Data Privacy Crisis – Evrim Ağacı

Latest News from Around the Web

Categories