Are Your Business Associates HIPAA Compliant?

If you are a Covered Entity, you have a vested interest in ensuring your Business Associates are HIPAA compliant. The Office for Civil Rights (OCR) has recently increased its scrutiny of Business Associates, as evidenced by several highly publicized HHS Resolution Agreements levied against this sector. When a Business Associate is found in violation of HIPAA law, the reputation and public trust of the related Covered Entity is negatively impacted. Furthermore, federal law requires Covered Entities to take reasonable steps to ensure their Business Associates maintain HIPAA compliance. With stakes this high, Covered Entities would do well to ensure they have employed a solid Business Associate Management Program.

In HIPAA Security

Healthcare Cybersecurity- Best Technical Defenses

There is a bulls-eye on the healthcare industry, and hackers are zeroing in on the target. The number of cybercrime incidents that evade traditional security defenses are increasing at an alarming rate because the data stored in Electronic Health Records is a lucrative currency to hackers.  Some cyber-risk experts have cited that one Electronic Healthcare Record can go for as high as $500 on the dark web, so it is no wonder that Healthcare is among the most frequently pursued cyberattack targets.

In Cyber Security

Healthcare Cybersecurity- Best Administrative Defenses

While no healthcare organization is immune to cyber-attack, those that implement precautions can either significantly reduce their chances of attack, or at the very least, mitigate the damage in the event of an attack. Administrative defenses are a key component of cybersecurity because they cover the gap that technical defenses cannot protect.  In fact, some common cyber-crime entry points are those that technical defenses simply can’t thwart, such as social engineering ploys and phishing expeditions. 

In Cyber Security

Enterprise Risk Management in Healthcare

Cyber-risk in the healthcare industry is not just an issue for IT Departments, it is a major problem for healthcare executives and stakeholders. The technical security defenses employed by an IT Department cannot fully protect an infrastructure, because cyber criminals are adept at exploiting those defenses or finding alternate points of entry. Cyber-crime threatens a provider’s legal, financial, reputational and operational position, making it a corporate challenge that requires executive and board-level oversight.  

In Cyber Security

Breach Preparedness in the Healthcare Industry

Is your Healthcare organization equipped to respond to a suspected or confirmed data breach?  According to Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, data breaches in healthcare remain consistently high for the 6th consecutive year in terms of volume, frequency, impact, and cost. In fact, nearly 90 percent of healthcare organizations represented in this study had a data breach in the past two years, and nearly half, or 45 percent, had more than five data breaches in the same time period.

In HIPAA Security

Social Engineering Attacks Against Healthcare

Social engineering attacks against the healthcare industry are becoming more and more commonplace. Hackers are relentless in their assault against this critical infrastructure, and often use social engineering as a method to gain access to Personal Health Information (PHI), Personal Identifiable Information (PII) and financial information. Social engineering scams can occur over the phone, by email, online or in-person, with hackers often posing as a person of authority or trustworthy contact such as a network administrator, technical support representative or a vendor employee.

Social engineering is a hacker’s clever manipulation of the natural human tendency to trust and avoid conflict, with the objective of gaining access to sensitive information. Healthcare employees can be particularly vulnerable to this scam because they have a natural inclination to be helpful and provide assistance.  The hacker’s goal is to cleverly manipulate their target into unwittingly doing something outside of normal operations, such as disclose a password, user name, financial information or unknowingly download malware.

There are literally hundreds of possible social engineering tactics.  Hackers may send emails that appear to be from trusted sources that tempt the recipient to click on a link or attachment that ultimately downloads malware. Other attempts may involve incoming phone calls where the hacker poses as a representative of a known vendor in an attempt to gain sensitive financial information. Still, others may include a hacker masquerading as a help desk employee in an attempt to acquire log-in credentials, email addresses or answers to security questions. The list of possible techniques continues to grow as hackers hone and refine their skills.

It is sometimes difficult to recognize real-life examples of social engineering attacks because the crime is not easily traced.  The employee(s) that was victimized may not realize he/she disclosed sensitive information to an untrustworthy source, or may be unwilling to admit the disclosure, and therefore the incident goes unreported and undocumented. Furthermore, social engineering breaches sometimes leave no physical evidence or an easily identifiable entry point, so if a breach does occur, the method may remain a mystery.

As healthcare organizations focus on tightening IT security, the threat of social engineering can sometimes remain overlooked.  Yet just one successfully executed attack can result in a serious breach that can cost millions of dollars in fines, not to mention negative publicity and reputational damage. The best defense for healthcare organizations is to:
  • Monitor and communicate industry security trends and vulnerabilities.
  • Keep alert to current and emerging threats, and provide periodic security updates and reminders to your workforce. 

  • Educate employees on the mechanics of spam, phishing and malware. 

  • Test workforce awareness by initiating internal phishing expeditions.

For more information on how you can best protect your organization from social engineering scams, download our Cybersecurity eBook by clicking on the below link:

In Cyber Security