October 29, 2020
Cybersecurity Awareness Month is wrapping up (believe it or not it’s almost Halloween, if you’ve lost track of the days this year like we have), but as the month ends the protections and measures you have in place to prevent a cyberattack should remain in full force.
Just a quick glance at our HIPAA news page shows a growing list of recent HIPAA enforcement efforts, many stemming from cyberattacks that could have been avoided. Couple that with growing cyber threats during COVID-19 and you have yourself a pretty good idea of why cybersecurity should stay top of mind for months to come. We know that the word ‘cybersecurity’ can be a little vague – and even daunting – so here’s a recap of the latest and greatest threats to watch out for:
Ransomware Activity
- The Office for Civil Rights (OCR) has sent out several cyber alerts one, in particular, highlighting the daily threat (4,000 attacks a day!) that ransomware poses to the healthcare sector. Ransomware literally holds your data for ransom – usually by encrypting the data and preventing access until the ransom is paid – and can make your essential healthcare data completely inaccessible unless you fork over the $$$. Along with the alert, the OCR included a Ransomware Guide and Fact Sheet to help practices understand and manage ransomware risks (specifically how a HIPAA compliance program can help!).
Phishing Schemes
- Phishing has grown increasingly common (and no, we don’t mean the kind that happens out on a lake) specifically in the healthcare industry. In fact, 88% of healthcare workers reported opening a phishing email before. The type of phishing to be on the lookout for (again, not talking about prize winning trout) are emails disguised as coming from trusted sources, but with some small error, and are designed to trick the recipient into opening a link or downloading an attachment that paves the way for hackers to enter your systems.
Missing Key Technical Safeguards
- While falling victim to a cyberattack is impossible to fully prevent, missing necessary safeguards (identified in your Security Risk Analysis) pretty much paints a target on your back. Safeguards like proper encryption, updated server protections, strict authorization policies and procedures such as password protection, and asset logs are key. Just look at any of the recent HIPAA fines related to cyberattacks and you can see that each covered entity was missing multiple safeguards that could have prevented the breaches.
Properly Mitigating Potential Threats
- More often than not, practices are aware of a potential cyber threat, yet don’t do anything to stop it. Having audit controls in place to identify and address breaches as well as taking the proper action when a threat is identified is essential to stopping an attack early, and staying on the OCR’s good side.
Staying Educated
- Training, training, training – we can’t say this enough! Negligent breaches happen twice as often as malicious ones and proper employee education is a huge factor. While it’s already required under HIPAA to do annual staff training, we recommend sharing cyber best practices regularly and always keeping in the know. Pro tip: Abyde’s HIPAA staff training includes common cyberthreats to watch out for and how to avoid them.
Not convinced cybersecurity is important? Just look at the data:
- In February 2020 alone, 1,531,855 records were exposed in healthcare data breaches.
- 82% of healthcare orgs agree that digital security is one of their foremost concerns.
- Insiders are responsible for 59% of all healthcare security incidents and data breaches.
- Only 44% of healthcare organizations meet cybersecurity standards.
We can probably agree that unless you put your practice in a bubble there really is no such thing as being 100% protected from every cyberthreat out there. Since totally cutting off your patient’s sensitive information is impossible, the next best thing is to have all the necessary technical safeguards and be aware of how to properly handle a threat.