While much of the anti-malware technology we have to protect us from hackers has become increasingly more sophisticated, so have attackers’ methods. According to the U.S. Department of Health and Human Services (HHS), incidents of hacking affecting 500 people or more increased by 45% from 2019 to 2020. If you operate a business that frequently processes electronic protected health information (ePHI), this statistic is certainly something to pay attention to. So, if cybersecurity attacks are on the rise, what are the most common attacks to look out for, and how can you defend against them?
Phishing is a type of attack where someone impersonates another individual in order to persuade someone to share sensitive information, usually via email. It was recently reported that over 42% of ransomware attacks in Q2 of 2021 involved phishing. One way you can defend against phishing is by learning how to spot a phishing scam and educating your employees on how to do the same. Your organization should also have an established protocol to follow if any suspicious or out-of-the-ordinary communications are received.
Luckily, if you’ve structured your organization’s policies and procedures around the HIPAA Security Rule, much of this is already baked into the Security portion of your HIPAA compliance plan. The Security Rule requires that all employees take part in a security awareness and training program on an ongoing basis. This ensures that everyone who has access to ePHI is trained, up to date on the latest cybersecurity threats, and knows how to avoid them.
One practice many organizations have employed is sending fake phishing emails out to members of the workforce to gauge employee response. They track the opens, how many times the suspicious email was reported, etc. This will allow management to get a sense of how aware employees are of this type of scam, so they can implement future training accordingly.
We also recommend installing anti-malware software on all organization devices, so training and employee awareness are not your only lines of defense. Effective anti-malware software can help flag or even block certain communications before they reach employees’ inboxes.
Weak Cybersecurity Practices
It should go without saying that if you want to have a strong defense against cybersecurity attacks, you need to have strong cybersecurity practices. Although this might seem like common sense, an alarming amount of attacks could have been prevented if the organization had implemented a more robust cybersecurity program. In fact, over 80% of breaches that occur due to hacking involve compromised or brute-forced credentials.
Weak passwords and a lack of 2-factor authentication (2FA) are often to blame for breaches of data and their resulting consequences. Without these extra steps that verify that the person attempting to access ePHI is who they say they are, you put your organization and the information you’re safeguarding at constant risk. We recommend implementing 2FA as soon as possible, along with the use of a password manager like LastPass, which will help you create complex passwords and store them. That way, you only have to remember one master password, and managing your accounts immediately becomes much simpler.
Remember that these safeguards should not be viewed as “one and done” forms of implementation, but should be regularly monitored and updated to ensure ongoing safety and security. This applies to both technical and non-technical evaluations. Periodic review of security protocols is a requirement under the HIPAA Security Rule, and should therefore be complied with and taken seriously.
Exploiting Known Vulnerabilities
In addition to phishing and weak cybersecurity practices, exploiting known vulnerabilities is another common way that data is breached. A known vulnerability is a vulnerability whose existence is publicly known. The National Vulnerability Database (NVD) is where information about known vulnerabilities is kept.
When it comes to easily-exploitable vulnerabilities in an information technology infrastructure, many of them can be found on mobile devices, servers, desktop operating systems, apps, web software, firewalls, firmware, and databases. This is why it is so important to regularly update and patch systems that fix bugs and holes that leave data vulnerable. It may sometimes be necessary to disable certain services or applications, if a vulnerability is discovered, until a solution can be identified.
Any legacy systems, meaning, unsupported applications or devices, should be replaced with those that are up to current cybersecurity standards. If they cannot be replaced, additional safeguards should be implemented to increase protection. As previously mentioned, in order to stay compliant with the HIPAA Security Rule, regular evaluations and checks of current security systems are essential.
The following is a list of ways you can stay up to date with updates, patches, potential vulnerabilities, and how those vulnerabilities can be mitigated:
- Update your systems and programs when patches are released (Provided IT approves those updates)
- Subscribe to Cybersecurity and Infrastructure Security Agency (CISA) alerts
- Subscribe to HHS Health Sector Cybersecurity Coordination Center (HC3) alerts
- Participate in an information sharing and analysis center (ISAC) or information sharing and analysis organization (ISAO)
- Implement a vulnerability management program, involving a vulnerability scanner to detect vulnerabilities (i.e. obsolete software, missing patches, etc)
- Regularly conduct penetration tests to identify weaknesses that could be exploited by an attacker
By establishing these policies, regularly reviewing them and your systems, and implementing the previously mentioned safeguards, a strong security program can be achieved.
Organizations that don’t take cybersecurity attacks seriously make themselves an open target to hackers and other bad actors. Our HIPAA Prime™ program helps you train your staff and provides you with a customized HIPAA compliance plan, complete with Privacy and Security Policies and Procedures. When it comes to HIPAA, we do the heavy lifting so you can focus on running your business.
Want to know more about how you can become HIPAA compliant?
Email us at email@example.com to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.
- U.S. Department of Health and Human Services Office for Civil Rights Breach Portal
- Q2 Ransom Payment Amounts Decline as Ransomware becomes a National Security Priority
- Verizon 2020 Data Breach Investigations Report
- National Vulnerability Database
- Cybersecurity and Infrastructure Security Agency Alerts
- HHS Health Sector Cybersecurity Coordination Center Alerts