Attorney warns HHS is likely to get tougher on data security

Much of the nation’s healthcare stakeholders aren’t doing enough to take cybersecurity measures necessary to mitigate cyber threats.

The lack of sufficient action is despite continuing assaults from hackers and mounting regulatory actions by the HHS Office for Civil Rights, which enforces the laws on data protection.

OCR regulators want to see more effort to secure data; they want to see adequate cyber technology, processes and additional appropriate controls by providers and insurers, says attorney Laura Hammargren, a partner in the Mayer Brown law firm in Chicago.



“This is not a technology problem, but it requires information technology, legal, privacy and human resources compliance, of which all at some time will be involved,” she explains.

Also See: 7 emerging data security and risk management trends

OCR has become more actively involved in oversight and has previously issued guidance covering information security and customized incident response plans that should be followed.

Hammargren can’t say for sure if OCR’s moves are intended as a warning, but she believes that failure to implement enhanced security “will lead to negative consequences in the future if appropriate controls are not put in place. HHS explicitly expresses this for healthcare and it should not be ignored. HHS guidance is intended to highlight the need to improve security.”

Hammargren also emphasizes that HHS will be watching this year for signs of how well the industry is moving toward better security. State attorneys general and other regulators also are becoming more active, she cautions.