Roger Severino, Lead HIPAA Enforcer, on Fighting HackersHHS OCR Director Discusses Importance of Visibility Into Systems
In an exclusive interview, Roger Severino, director of the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, spells out critical steps healthcare organizations must take to safeguard patient information and ensure patient safety in light of the surge in ransomware and other hacking incidents.
"We're seeing a growth of advanced persistent threats where hackers will infiltrate, usually through phishing, to get credentials and get their foot through the door in one area of a covered entity's systems," he says in an in-depth interview with Information Security Media Group.
Then the hackers will "attempt to learn everything they can about the access they gained to see if they can leverage that to jump to a more secure area of the system," he says.
Given that hackers can reside on a network for months or even years, Severino says, it's essential to have "proper audits and logs to have visibility into your system."
Severino says OCR is ramping up enforcement of compliance with HIPAA provisions regarding a patient's right to easily access a copy of all their medical information from multiple sources because if some information, such as a diagnosis or a medication list, is unavailable, it could lead to serious patient safety issues.
He also points out that when healthcare organizations have relationships with third parties that are acting on their behalf, they must have appropriate business associate agreements "so that the chain of custody of that protected health information remains secure so that there is no weak link in the chain because there is far too much at stake."
In this interview (see audio link below photo), Severino also discusses:
- The "significant uptick" in breaches tied to hacking incidents;
- What's behind several large recent HIPAA settlements issued by HHS OCR tied to hacking incidents as well as several smaller patients' right to access to records cases;
- The risks involved in paying hackers a ransom to unlock or return stolen patient data;
- Other HIPAA enforcement activities underway at HHS OCR.
Before joining HHS OCR, Severino served as director of the DeVos Center for Religion and Civil Society at The Heritage Foundation. Prior to that, Severino was a trial attorney in the Department of Justice's Civil Rights Division.