The Health Insurance Portability and Accountability Act (HIPAA) impacts nearly every healthcare provider, insurer and business associate in the country. In the early days of the HIPPA, compliance measures were largely covered by manual actions: privacy agreements, office policies and lots of paperwork. But in the twenty-three years since its inception, HIPAA compliance has become trickier.
As more healthcare agencies turn to technology to store and manage medical information, threats to patient privacy has grown. Already the number of patients affected by data breaches in 2019 has doubled last year’s record high.
As cyber criminals have been stepping up their activity, the Office of Civil Rights (OCR) has been stepping up enforcement. OCR reported an all-time record for HIPPA enforcement in 2018. Between the threat of a data breach and the threat of enforcement, healthcare organizations are bolstering digital defenses, spending more money on cybersecurity than any other industry.
But Business Insider reports that “cybersecurity is no longer the top priority for industry leaders.” Many providers simply can’t keep up with the technology and tactics used by criminals, or the rising costs cybersecurity firms charge. Yet, one of the most cost-effective solutions might also be the simplest: training.
Traditionally the focus of HIPAA compliance training has been to prevent internal breaches – employees releasing confidential patient information. As cyberattacks cause more than 60% of all data leaks, the focus needs to shift to external breaches. A recent report in Security Magazine found that nearly a quarter of healthcare workers in the U.S. have “never received cybersecurity training from their workplace.”
Cybersecurity training cannot protect against all threats, but when combined with other reasonable measures, it can help reduce your risk of a data breach and keep your facility HIPAA compliant. Training equips your staff with the knowledge to help identify threats, while HIPAA’s Security Rule also sets Security Awareness and Training as one of its standards.
Cyber criminals rely heavily on email fraud. The number of phishing attacks and fraudulent emails targeting the healthcare industry has increased over 470% in the past two years. Often these emails seem to be from a legitimate source requesting sensitive information. Criminals have even sent emails claiming to be the OCR asking recipients to click on a potentially harmful link.
There are technical measures your company can take to help prevent these dangerous emails from reaching office inboxes. But ultimately it takes only one message to pass through these defenses to put your network at risk.
If an employee opens an email and clicks on a link, downloads an attachment, or replies with sensitive information, your patients’ data could be compromised. Cybersecurity training can help your staff better identify fraudulent emails and know what actions to take when confronted with an attack.
Train staff to scrutinize suspicious emails by looking for these common red flags:
The Security Rule specifically calls out password management as an area of focus for cybersecurity training. Weak passwords can make your patients’ data and your network vulnerable to cyberattacks. Train employees on password best practices including:
The modern healthcare office relies on portable technology such as PDAs, laptops and tablets. Each device could be a gateway into your network, and therefore a target for cyber criminals. Train your employees on how to keep these devices safe. This can include signing off properly and managing inventory. USB flash drives have become popular means for criminals to enter networks, so educate staff to be aware of thumb drives that come from unknown sources, and to avoid plugging them in.
To be the most effective, training, like risk assessment, needs to be done on a continual basis. In hectic environments, employees can forget or forgo best practices, and cyber criminals are always fine-tuning their tactics. Consider providing ongoing training to keep cybersecurity top-of-mind for employees and encourage adaptation to new scammer techniques.
Cybersecurity can’t drop from administrators’ radars. Data breaches and HIPAA compliance continue to threaten both small and large healthcare organizations, and neither one is going away any time soon. Be sure that your staff has the resources and tools needed to identify threats by providing up-to-date cybersecurity training to every member of your team.
Even with the best defenses, data breaches can happen. In the event that your healthcare agency is attacked, be sure that you are protected with cybersecurity liability insurance.