Cybercrime Risk and HIPAA Compliance

posted on
Cybercrime Risk and HIPAA Compliance

The Impact of Cyberattacks

Why is cybersecurity so vitally important in health care? Cyberattacks constitute a HIPAA breach and have the potential to put all electronic protected health information at risk.  Cyberattacks, and cybercrime, are crimes that involve a computer and network, and can include phishing attacks, malware, and even spam mail.


Data breaches resulting from cybercrime are becoming alarmingly common threats for any industry.  For example, the Office of Civil Rights reported that in a recent government survey, 61% of respondents had experienced a data breach within the past two years, including unauthorized access, denial of service, and malware infections.  In addition, a U.S. Government inter-agency report indicated that there were, on average, over 4,000 ransomware attacks every day in 2016, a 300% increase from the previous year.


The health care industry in particular is heavily targeted by cyberattacks.  According to the Identity Theft Resource Center, in 2016 almost 16 million health care records were affected by data breaches, 43% of the total records affected by data breaches that year.  The Ponemon Institute, which conducts independent research on privacy, data protection, and information security, noted in their 2016 Cost of Data Breaches Study that the average cost-per-record for a health care breach was about $402.  This means that in 2016, with 16 million healthcare records affected, the total amount lost to data breaches could be estimated at over $6 billion.


Laws that have helped the states enforce breach and notification laws include the Health Information Technology for Economics and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPPA).  Stay up-to-date with your HIPAA privacy and security training to help protect sensitive information from cyberattacks.


Stay Informed

Perhaps one of the most important things the average employee can do to prevent cyberattacks is stay informed about the risk factors of cyberattacks and what potential attacks often look like.  Based on a review of cyber-crime-related insurance claims, some common risk factors of cyberattacks include:

  • Lost or stolen handheld devices and laptops
  • “Bad actors” such as rogue employees
  • Outside hacking
  • Misplaced or stolen paper records
  • Employee error


Cyberattacks can come in many forms.  Some of the more prevalent ones that you may encounter are:

  • Phishing Scams – Phishing is when intruders pose as a real business or organization in order to gain your trust and access your personal information or passwords.
  • Malware – Malware damages, steals information from, or otherwise disrupts a computer system.  It most commonly infects a system through unsecured email links and attachments.  A particularly well-known form of malware is ransomware, which attempts to deny access to a user’s data (typically using encryption) until a ransom is paid.
  • Internet Hoaxes – Emails that promise you a free gift card, plead for financial assistance, or warn of a new computer virus are hoaxes.  These messages are designed to make you want to forward the information to others, but this mass distribution of email messages floods computer networks, causing them to slow down.
  • Email Spam – Spam are unsolicited email messages, similar to junk mail.  The reason email spam can be dangerous is because it may contain links that install malware on your computer or direct you to phishing websites.


HIPAA Compliance and Protecting Sensitive Data

For health care companies and organizations, the Federal Bureau of Investigation offers a few tips to help avoid cyberattacks and protect your sensitive data:

  • Recognize internal and external security threats
  • Identity your organization’s sensitive data and develop plans to safeguard it
  • Secure both physical and electronic versions of sensitive data
  • Keep your organization’s sensitive data on a need-to-know basis
  • Train employees about your security plans regarding sensitive data and how to detect potential data breach attempts
    For example, make sure your employees know to NEVER provide their password to anyone via email
  • Use up-to-date software security tools


HIPAA compliance is a key part of making sure that your company or organization is prepared to deal with potential cyber threats.  For example, The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack.  Get more detailed information about HIPAA guidelines and cybersecurity through in-person and online training programs.


AIHC offers the following HIPAA compliance programs:


CEU Tracking Number: FRBLG1217.3

How to Earn 0.5 Continuing Education Units from This Article for CHCO Certified Professionals

  • Print and/or save a copy of this article for your records.
  • Document your answers to the following in case you are selected for a CEU audit:
    • What did you learn by reading this article?
    • How does the information in this article apply to your job or organization?
    • How did you use this information in your current job position or within your organization?
  • Supply the CEU tracking number in the description box of your online CEU Tracker.

You will need to produce this information if you are selected for a CEU audit or if you are late in renewing. You may use this article for continuing education units once every 24 months or every other renewal year.


| Categories: Cybersecurity, HIPAA Privacy and Security, AIHC Professional Articles, AIHC Free CEU Articles | Tags: HIPAA, Privacy, Security, Compliance, Health IT, OCR, HITECH, Cyberattacks, Continuing Education | View Count: (1493) | Return

Post a Comment

Blog Subscription

Articles by Month
AIHC Facebook Feed
CMS - Centers for Medicare & Medicaid Services

Articles written by the American Institute of Healthcare Compliance are under Copyright Notice: © 2016-2019 American Institute of Healthcare Compliance, Inc. All Rights Reserved. Views expressed through RSS feeds or remarks made on this blog or website are solely those of the original authors and other contributors and do not necessarily represent those of the American Institute of Healthcare Compliance and/or staff.