When it comes to healthcare data security, OCR said that the three main areas of error are the lack of encryption, lack of transmission security and the use of unpatched or unsupported software.
OCR said that all HIPAA-covered entities must either implement encryption or document why encryption is not reasonable and appropriate in a particular circumstance. From there, the entity must implement reasonable compensating healthcare data security controls.
Encrypting data in transit is also a requirement, OCR said. This is important, for example, in relation to mobile in healthcare.
And finally, healthcare organizations' use of unpatched or unsupported software creates a healthcare data security risk on systems that access ePHI. However, with patch management technologies, it is possible to automatically update and patch software.