"As Theresa Defino recently reported, HHS OCR will prioritize risk assessments and expand its investigations into risk management in 2026. Alisa Chestler and Layna Cook Rush of Baker Donelson have summarized some recent recommendations from HHS OCR's January 2026 Cybersecurity Newsletter that regulated entities may want to pay increased attention to at this point: Patching Is a Required Risk Management Activity Legacy Systems and Unpatchable Vulnerabilities Are Not Excuses Unnecessary Software and Default Accounts Create Hidden Risk"
"In related discussion of HIPAA pitfalls, Eric E. Kinder of Spilman, Thomas, & Battles identifies 10 common pitfalls that may result in enforcement action. Forgetting the obligation to perform an organization-wide risk analysis. Not following up on identified security risks. Denying patient access to health records. Not having a HIPAA-compliant business associate agreement. Failing to have proper electronic PHI access controls. Failing to encrypt PHI."
HHS OCR will prioritize risk assessments and expand investigations into risk management in 2026. Regulated entities should treat patching as a required risk management activity and cannot rely on legacy systems or unpatchable vulnerabilities as excuses. Unnecessary software and default accounts increase hidden risk. Security controls must be enabled and properly configured, and security baselines are strongly encouraged. Testing and evaluation of controls are mandatory. Practical actions include inventorying assets, applying patches, removing unnecessary software, securing default accounts, documenting configurations, and conducting regular testing. Common HIPAA pitfalls include failing risk analyses, neglecting remediation, denying access, lacking BAAs, weak access controls, and untimely breach notifications.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]