Make cybersecurity part of your 2024 New Year’s resolutions 

Managing cybersecurity and data privacy has become a critical business function, and employer-sponsored health plans and other HIPAA-covered entities are not immune from risk. Start 2024 understanding the threats to electronic protected health information (ePHI) and develop a plan to mitigate risk and manage a crisis in the event of an attack.

In just the last few months, HHS announced the first ever settlement agreements involving a ransomware attack and a phishing attack that together affected the ePHI of more than 240,000 individuals and cost the companies involved over $500,000. (Ransomware is a type of malicious software designed to deny access to a user’s data until a ransom is paid, and phishing is where individuals are tricked into disclosing sensitive information via electronic communication.)

As you settle into 2024, consider putting these tasks at the top of your New Year’s resolutions list:

• Review the HIPAA security management process, including the plans for identifying and responding to cybersecurity incidents.
• Review authentication standards, then identify and remedy any risks of unauthorized access to ePHI.
• Verify that TPAs and other business associates are implementing audit controls and sharing results and risk-mitigation measures with the plan sponsor.
• Evaluate any health plan vendor supplying wellness and transparency tools, mobile apps and artificial intelligence to determine if HIPAA applies.
• Evaluate HIPAA challenges in telehealth.

But don’t end your resolutions with HIPAA -- it’s important not to overlook other privacy and security responsibilities. Consider ERISA’s fiduciary duties, which may require plan sponsors to implement cybersecurity measures for health and welfare plans that aren’t subject to HIPAA, and to review the cybersecurity practices of all ERISA plan service providers. The FTC may require additional cybersecurity measures, particularly for mobile technologies and other digital solutions that generate, store, or share health information. Beware of embedded tracking technologies that collect and analyze information about how users interact with websites or mobile applications; they can result in unauthorized disclosure of personal health information. Lastly, evaluate the new SEC cybersecurity risk management and incident disclosure rule as it pertains to your organization, including your benefit programs.

For a complete list of action items to get underway as you step into a new year, see our GRIST: Top 10 health, leave benefit compliance and policy issues in 2024.