“Cybersecurity” seems a buzzword of late, with multiple news and media outlets warning of stolen data, security breaches and phishing attacks. This is particularly problematic in the healthcare sector, where a single file of protected health information (PHI) can reach a value of thousands of dollars on the black market. This leaves patients vulnerable to fraud, both financial and healthcare, which can have devastating consequences for them. Thus, it is imperative that all healthcare providers and related industries that may hold PHI employ adequate cybersecurity measures in a HIPAA-compliant manner.
Since HIPAA was first established in 1996, it has undergone many revisions and additions. When considering cybersecurity, the most relevant rule is the Security Rule (2005). This part of HIPAA specifically deals with electronic protected health information (ePHI). The Security Rule essentially lays out three different means of protection (administrative, technical and physical) that all covered entities (CEs) and business associates (BAs) must enact to be HIPAA-compliant. Of the three safeguards, the technical safeguards are most relevant to our discussion on cybersecurity.
The main technical safeguard is encryption, which ensures that data is protected from unauthorized access. Though this is termed an “addressable requirement” under HIPAA, the term is misleading. For a CE or BA to be HIPAA-compliant, they must use some form of encryption, or an equally secure technology, on all of their data.
Phishing is when cybercriminals send fraudulent emails, messages, or other means of communication to individuals in the hope of tricking them into handing over personal information. This information can then be used by the criminals to gain access to the network, and in the case of the health sector, steal ePHI.
Anyone can be a target of phishing, but it is essential that all employees are trained to spot phishing emails. This can be difficult – many criminals will mimic reputable sources or use social engineering to convince targets that it is safe to hand over data. Simple tricks such as never sending private details over an email, or copy-pasting links from the body of an email to a browser, can help reduce the incidence of successful phishing attack.
Phishing is particularly dangerous if it leads to the download of malware. This malware can take many forms, but ransomware has caused many problems over the last few years. In this instance, the ransomware software is downloaded from an attachment in a scam email. This software then locks the user out of their network and demands a “ransom” for the return of the data. Many readers will be familiar with the “WannaCry” attack that targeted many healthcare providers across the world and put many patients at risk.
In the case of unavoidable and unforeseeable cyberattacks, where all the necessary precautions had been in place and yet failed, HIPAA will not prosecute for a HIPAA violation. However, it must be shown that before the attack, the CE and BA had met all the safeguards stipulated in the Security Rule.
Cybersecurity is an essential component of HIPAA legislation: without it, all electronic copies of patient records are at risk from attack. The biggest threats come from hackers who try to intercept messages when they are being transmitted or otherwise remotely access data and “phishers”, who use social engineering to trick victims into surrendering private information. Technical safeguards can be employed against both of these groups, and careful staff training can help ensure that employees spot phishing emails and deal with them before they steal data.