Phishing, ransomware, and supply chain attacks have surged in 2021. Following several significant data breaches in the last year, the Biden administration has urged businesses to take a proactive stance against cybersecurity attacks in order to prevent their data from being compromised.¹
No company is too small or doing business in an industry that is not targeted by hackers. Every organization should have safeguards and procedures in place for preventing security incidents before they happen. Here is our guide for what you can do to strengthen your security program, prepare your workforce, and keep your organization’s information safe.
Why are data breaches becoming more of a threat?
The COVID-19 pandemic greatly accelerated the demand for cloud-based offerings. During the first quarter of 2020, cloud spending rose 37% to $29 billion. The shift to remote work across many industries has precipitated a need for long-term security plans which take into account the presence of workers offsite, virtual access to systems, and technical safeguards which may be required on home networks or devices. Many organizations which have failed to properly migrate their data and systems into a remote environment have left their information vulnerable to hackers.²
Some of the major cybersecurity attacks of the past year include:
- The infamous SolarWinds hack, in which a massive data breach occurred after SolarWinds, a third-party vendor widely used across the federal government, fell victim to a sophisticated hacking campaign.³
- A ransomware attack on Colonial Pipeline, which disrupted fuel supplies along much of the East Coast for several days.⁴
- A ransomware attack on the world’s largest meat processing company, JBS, in which the company’s servers were breached and production was halted.⁵
- The New York subway system hack, which was part of a larger breach of multiple federal agencies and critical organizations.⁶
These attacks reveal that hackers are targeting infrastructure like transportation systems and hospitals as well as tech companies and those in other industries. Hackers are indiscriminate in that they lodge attacks against sole proprietors, multi-billion-dollar companies, and all those in between.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is also increasing crackdowns on companies that experience data breaches. This is just one of many reasons why all organizations regardless of size, scope, systems, or data should have a HIPAA compliance plan in place which includes a strong security program.
What you can do to prevent cybersecurity attacks
Annual HIPAA compliance training is crucial for preventing cybersecurity attacks. Not only should you have technical safeguards in place like patching and software updates but you must also train your workforce to recognize potential breaches before they happen. Employees are your first line of defense, and often your weakest link.
Phishing attacks are often conducted over email. If employees are properly trained, they will know not to open any suspicious emails and not to click any links or carry out any requested action items. Many attacks like these come about as a result of user error. Know how to spot attempted breaches and have procedures in place for how they will be prevented, documented, and analyzed to make sure the safeguards you have in place are sufficient.
The FBI advises against paying ransomware fines. Paying does not guarantee that you will get your data back, and may result in the loss of money and your data. It’s better to manage a lack of access for a short time while authorities assist you in recovering your information than to place a large financial burden on your business by paying a ransom. The only way to discourage ransomware attacks is for businesses to stop paying hackers, and the best way of not paying is to have safeguards in place that prevent it from happening.⁷
Data breach prevention checklist
- Perform a Risk Assessment: A Risk Assessment allows you to identify gaps and weaknesses in your organization’s security standards and mitigate them before they become an issue. It is an essential step in being HIPAA compliant and maintaining the security of your data.
- Document and follow your HIPAA compliance plan: If you don’t have it documented, then it doesn’t exist. A comprehensive compliance plan will include Privacy and Security Policies and Procedures, a Disaster Recovery Plan, a Remote Work Policy, a BYOD (Bring Your Own Device Agreement), and Business Associate Agreements with third parties.
- Update and patch systems: Software updates and patches are essential for closing critical holes in your systems. Have a plan for how to push these updates across all systems in a timely manner. Many systems allow for auto-update. Discuss with your IT professional if this is appropriate for your company.
- Follow the 3-2-1 backup rule: Have at least three backups on two different kinds of media, with at least one offsite.
- Train your staff on your security standards: Your staff should not only be able to recognize social engineering (ex: phishing) attacks but also know the proper procedure for dealing with them.
- Install anti-malware software: You should have firewalls and anti-malware programs on all devices which have access to company data. These programs should be regularly updated.
- Configure firewalls properly: Firewalls keep your network safe from the outside world and keep employees from accessing forbidden sites. Talk with your IT professional to make sure your firewalls are configured properly, reviewed, and updated as needed.
You should be reviewing and updating your compliance plan regularly so that it properly reflects the current state of your business. HIPAA compliance and cybersecurity should be treated as ongoing processes, not one-time tasks to be completed. You must adapt your systems, technical safeguards, and security procedures as technology or your operations change. If you take a proactive stance on security, you’ll be able to become and stay compliant.
Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.
Want to know more about how you can become HIPAA compliant?
Email us at firstname.lastname@example.org to learn more about how we can help your organization become (and stay!) HIPAA Compliant. Or, get started here.
- Business leaders must take urgent action to counter ransomware threat, White House warns in memo
- Can you meet customer demand for cloud-based computing?
- What We Know About the SolarWinds Breach
- Colonial Pipeline, post-hack: US issues new cybersecurity regulations
- Largest meat producer getting back online after cyberattack
- New York subway system was targeted by Chinese-linked hackers in April
- Common Scams and Crimes: Ransomware