Cybersecurity training for staff is the number one defense against HIPAA breaches. It’s not the only thing to do, but training can head off the most common and dangerous hacks facing healthcare organizations. It has the added benefit of shoring up the culture of compliance that strengthens an organization’s overall compliance program.
Phishing is the Primary Cause of Data Breaches
Humans, not equipment or software, are the source of most successful hacking incidents and the leading cause of HIPAA breaches. The 2019 Verizon Data Breach Investigations Report (DBIR) notes that “phishing” is the primary cause of data breaches, across all industries. And phishing targets people, not machines.
- Over 94% of detected malware is delivered by email
- The most common technique to steal logon credentials is phishing
- Criminals use social engineering tactics to trick users into providing their web-based email credentials…
- Followed by the use of those stolen credentials to access the mail account
Healthcare is a Prime Target for Phishing Attacks
Criminals see organizations with protected health information (PHI), regardless of size, as prime targets. Large organizations with sophisticated electronic defenses also have a large number of employees who can easily be identified and targeted by phishing attacks. Small organizations may lack effective technical protection and be less aware of threats although they maintain PHI of hundreds or thousands of individuals. Both can benefit from security awareness training.
Phishing is Aimed at People
Most organizations use malware protection to guard against electronic invasion through computer systems. Malware detection software is essential and can be very effective at keeping out thousands of viruses and other attacks.
People, though, are more vulnerable. We are all accustomed to using email, the internet and web applications to conduct everyday life – checking news and weather, doing work over email, shopping, connecting with friends. We do it without thinking about opening emails, clicking attachments and entering data into web applications when asked.
Recently staff in the Philadelphia public health department adopted a web application for recording hepatitis cases but failed to secure it, causing a massive breach of sensitive health information.
Ironically, the workforce is both the most vulnerable to attack and the best defense against cybercrime.
Criminals Find it Easier to Exploit People than Technology
It’s relatively easy for sophisticated hackers to trick people into opening a door, or providing credentials. Common phishing techniques include sending an attachment that looks innocent from an email that looks familiar, with a logo we see every day. We have reported before about emails we receive in our office that look very much like they’re from Netflix, Google or Amazon – to the untrained eye, distracted by the press of work and time, it seems fine.
Security experts call it “social engineering” – the psychological manipulation of people into performing actions or divulging confidential information. When people are unaware this might be happening, they are the most vulnerable. Only by learning about it and learning to be suspicious, do they develop defenses.
Another level of phishing, called spear phishing, ups the game by using a very specific piece of information about a person (a hotel or restaurant recently visited) or the name of a colleague or friend, to disguise the email. If you stayed at a Hilton you might expect to receive an email from them when you return home. These personal details are easy to find through social media posts, or other information left behind and tracked by website applications we use everyday.
Security Awareness Training is the Best Defense Against a HIPAA Breach
While this post mainly addresses threats from outside the organization, insiders still account for a sizable number of security breaches. Security training can help thwart those also.
Some breaches caused by insiders are caused by mistake, and are not intentional, for example, sending information to the wrong email address, or sharing a password. Intentional actions, like insider snooping are still a problem. But security awareness training can reach both and help reduce the problem.
HIPAA requires that organizations have sanctions against employees who violate HIPAA policies to underscore the importance of compliance. Security training should include mention of sanctions to discourage wrongdoing.
Security training does not need to be complicated or lengthy. People can learn basic cautionary tactics about the vast majority of outsider threats coming through email and web applications. Security reminders help keep awareness levels high. We use Think Before You Click magnets around the office and in the break room, along with other reminders in staff communications.
The key is to start the training, communicate the culture of compliance, and repeat the training at regular intervals. Use sanctions against employees who violate HIPAA policies.
Help from The HIPAA E-Tool®
The HIPAA E-Tool® has the HIPAA policies required for your HIPAA compliance program and training. It also includes an interactive Risk Analysis you can complete yourself.
If you need help, request a HIPAA Quick Start Kit below. Requests during the remainder of October will receive a free Think Before You Click security reminder magnet. Or, write us separately on the Contact page to request a magnet or ask any HIPAA question.