Cyberattacks on health care networks have increased exponentially in recent years, placing highly sensitive patient information at risk. Health care IT can help by stepping up security measures, and organizations can provide updated cybersecurity training for staff. Here are some of the key cybersecurity fundamentals and best practices to follow.
Human error or neglect can have serious and costly consequences for health care institutions. Cybersecurity training provides health care personnel with the information they need to make wise decisions and exercise appropriate caution while managing patient data. In particular, effective cybersecurity training should help employees recognize and halt attacks before they cause damage. A good place to begin is consulting with a reliable cybersecurity provider who will work with you to tailor a cybersecurity and employee training program to safeguard your data.
Another reason cybersecurity training is vital is because it’s mandated by HIPAA. Specifically, the HIPAA Privacy Rule contains a provision requiring a provider to “train all members of its workforce on the policies and procedures with respect to protected health information (PHI),” and the HIPAA Security Rule includes a similar requirement for a provider to “implement a security awareness and training program for all members of its workforce (including management).” With that training in place, and repeated often, employees are better equipped to recognize situations where the use of PHI warrants special protections, such as the use of HIPAA compliant email or role-based access controls.
In addition to recognizing threats, employees must also be trained on the organization’s data incident reporting protocol when an employee's device becomes infected with a virus or performs abnormally. Warning signs for such problems may include a machine running slowly, unexplained errors, changes in the way a computer functions, etc. They should understand how to identify a genuine warning message or alert and promptly report such incidents to IT staff.
Beyond the training requirements noted previously, the HIPAA Privacy and Security Rules include a wide range of provisions to help safeguard patient data.
HIPAA's Security Rule ensures the security of electronic health information created, used and maintained by covered entities, i.e., organizations that are subject to HIPAA. In the HIPAA Security Rule, policies and procedures are established for how protected health information should be managed from administrative, physical and technical perspectives.
In accordance with the Privacy Rule, information cannot be used or shared without the patient's permission. According to the HIPAA Privacy Rule, personal health information, including medical records, insurance information and other sensitive data, must be protected.
Those rules have experienced a number of updates since they were first added to the HIPAA law in 2000 (Privacy Rule) and 2003 (Security Rule), including the recent Notification of Enforcement Discretion for Telehealth, which was enacted during the pandemic to give providers more flexibility in using remote communication tools for telehealth.
It’s important for health care providers and staff to stay up to date with HIPAA regulations and rules as part of their cybersecurity training.
Passwords can be an easy target for exploitation by bad actors. One of the most serious dangers to company security is a weak password. Organizations like the National Institute for Standards in Technology (NIST) regularly publish and update recommended password guidelines. The latest NIST recommendations* include:
One of the most common ways that hackers acquire access to a company's network is through email phishing attacks, also known as email spoofing or email impersonation. Phishing is a malicious attempt to trick recipients into giving up personal and online account information in order to access and exploit more valuable and sensitive systems.
Within health care practices, display name spoofing – a targeted phishing attack where an email’s display name is altered to make a message look like it comes from a trusted source – is a frequent attack strategy used by bad actors. While there is technology designed specifically to combat display name spoofing, when it comes to training, it’s important for employees to understand the who, what, where, when and why of every email they receive. Specifically:
The best defense is often a good offense and being prepared and educated about cybersecurity threats is of the utmost importance for health care practices. The combination of strong IT safeguards, as well as a cybersecurity-aware staff, can go a long way to conducting your practice in a safe and secure manner.
Shawn Dickerson is Vice President of Marketing for Paubox, a leader in HIPAA compliant email and marketing solutions for healthcare organizations.