“Cybersecurity” seems a buzzword of late, with multiple news and media outlets warning of stolen data, security breaches and phishing attacks. This is particularly problematic in the healthcare sector, where a single file of protected health information (PHI) can reach a value of thousands of dollars on the black market. Theft of PHI places patients at risk of fraud, which can have devastating consequences. Thus, it is imperative that all healthcare providers and business associates that hold or have access to PHI employ adequate cybersecurity measures to protect that information.
Since HIPAA was enacted in 1996, it has undergone many revisions and additions. When considering cybersecurity, the most relevant rule is the Security Rule (2005). This part of HIPAA specifically deals with electronic protected health information (ePHI). The Security Rule essentially lays out three different means of protection (administrative, technical and physical) that all covered entities (CEs) and business associates (BAs) must implement to be HIPAA-compliant. Of the three safeguards, the technical safeguards are most relevant to our discussion on cybersecurity.
The main technical safeguard is encryption, which ensures that data is protected from unauthorized access. Though this is termed an “addressable” requirement under HIPAA, the term is misleading. For a CE or BA to be HIPAA-compliant, they must use some form of encryption, or an equally secure technology, on all of their PHI.
Phishing is when cybercriminals send fraudulent emails, messages, or use other means of communication to trick individuals into handing over sensitive information or installing malware. Oftentimes, the aim is to obtain login credentials which can be used to gain access to the network or email accounts and steal ePHI.
Anyone can be a target of phishing, so it is essential for all employees to be trained how to spot phishing emails. Identifying phishing emails can be difficult. Attacks often involve the spoofing of contacts and trusted businesses and social engineering techniques are used to convince targets that it is safe to disclose information. Simple tricks such as never sending private details over an email, opening attachments from unknown individuals, or visiting hyperlinks sent in emails can help to prevent individuals from falling for a phishing scam.
Phishing is particularly dangerous if it leads to the downloading of malware. Malware can take many forms, but ransomware has caused many problems over the last few years. Ransomware encrypts files to prevent access. A ransom is demanded to supply the keys to unlock the encryption. Many readers will be familiar with the “WannaCry” attacks that targeted healthcare providers around the world and put many patients at risk.
In the case of unavoidable and unforeseeable cyberattacks, where all the necessary precautions had been put in place but failed to prevent an attack, OCR will not issue financial penalties. However, it must be shown that before the attack, CEs and BAs were in compliance with all of the requirements of the HIPAA Security Rule.
Cybersecurity is an essential component of HIPAA compliance. Without appropriate cybersecurity controls, electronic copies of patient records are at risk of compromise. The biggest threats come from hackers who try to gain access to healthcare networks and email accounts and from “phishers” who use social engineering techniques to trick victims into divulging sensitive information.
Technical safeguards can be employed against both of these types of attacks, while staff training can help to ensure that employees spot phishing emails and do not respond.