Written by: Compliance blogger
The Impact of Cyberattacks
Why is cybersecurity so vitally important in health care? Cyberattacks constitute a HIPAA breach and have the potential to put all electronic protected health information at risk. Cyberattacks, and cybercrime, are crimes that involve a computer and network, and can include phishing attacks, malware, and even spam mail.
Data breaches resulting from cybercrime are becoming alarmingly common threats for any industry. For example, the Office of Civil Rights reported that in a recent government survey, 61% of respondents had experienced a data breach within the past two years, including unauthorized access, denial of service, and malware infections. In addition, a U.S. Government inter-agency report indicated that there were, on average, over 4,000 ransomware attacks every day in 2016, a 300% increase from the previous year.
The health care industry in particular is heavily targeted by cyberattacks. According to the Identity Theft Resource Center, in 2016 almost 16 million health care records were affected by data breaches, 43% of the total records affected by data breaches that year. The Ponemon Institute, which conducts independent research on privacy, data protection, and information security, noted in their 2016 Cost of Data Breaches Study that the average cost-per-record for a health care breach was about $402. This means that in 2016, with 16 million healthcare records affected, the total amount lost to data breaches could be estimated at over $6 billion.
Laws that have helped the states enforce breach and notification laws include the Health Information Technology for Economics and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPPA). Stay up-to-date with your HIPAA privacy and security training to help protect sensitive information from cyberattacks.
Perhaps one of the most important things the average employee can do to prevent cyberattacks is stay informed about the risk factors of cyberattacks and what potential attacks often look like. Based on a review of cyber-crime-related insurance claims, some common risk factors of cyberattacks include:
- Lost or stolen handheld devices and laptops
- “Bad actors” such as rogue employees
- Outside hacking
- Misplaced or stolen paper records
- Employee error
Cyberattacks can come in many forms. Some of the more prevalent ones that you may encounter are:
- Phishing Scams – Phishing is when intruders pose as a real business or organization in order to gain your trust and access your personal information or passwords.
- Malware – Malware damages, steals information from, or otherwise disrupts a computer system. It most commonly infects a system through unsecured email links and attachments. A particularly well-known form of malware is ransomware, which attempts to deny access to a user’s data (typically using encryption) until a ransom is paid.
- Internet Hoaxes – Emails that promise you a free gift card, plead for financial assistance, or warn of a new computer virus are hoaxes. These messages are designed to make you want to forward the information to others, but this mass distribution of email messages floods computer networks, causing them to slow down.
- Email Spam – Spam are unsolicited email messages, similar to junk mail. The reason email spam can be dangerous is because it may contain links that install malware on your computer or direct you to phishing websites.
HIPAA Compliance and Protecting Sensitive Data
For health care companies and organizations, the Federal Bureau of Investigation offers a few tips to help avoid cyberattacks and protect your sensitive data:
- Recognize internal and external security threats
- Identity your organization’s sensitive data and develop plans to safeguard it
- Secure both physical and electronic versions of sensitive data
- Keep your organization’s sensitive data on a need-to-know basis
- Train employees about your security plans regarding sensitive data and how to detect potential data breach attempts
For example, make sure your employees know to NEVER provide their password to anyone via email
- Use up-to-date software security tools
HIPAA compliance is a key part of making sure that your company or organization is prepared to deal with potential cyber threats. For example, The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack. Get more detailed information about HIPAA guidelines and cybersecurity through in-person and online training programs.
AIHC offers the following HIPAA compliance programs:
- HIPAA Privacy and Security Officer Training Camp
- HIPAA Privacy and Security Officer Web-Based Training