Cyber-awareness: New Education from OCR

MattFisher-whiteBy Matt Fisher, Esq
Twitter: @matt_r_fisher

The Office for Civil Rights (OCR) at the Department of Health and Human Services sent out an email on February 2, 2016 to announce the launch of a cyber-awareness for the healthcare industry. OCR recognizes the danger faced by healthcare from an array of bad actors and the need to spread information. As set forth in the email, OCR will highlight different threats and tools that may be available through monthly or periodic messages.

The February 2nd email, really for January 2016, addressed ransomware, “tech support” scams, and a new Better Business Bureau scam tracker. The email introduces the topics with some basic information and suggestions on actions to take.

On the topic of ransomware, OCR explained that it is malicious software that walls off data from access. The bad actors behind the attack then charge the victims a fee to “free” the data. However, in reality there is no guarantee that payment of the ransom will actually result in access being granted again. In bringing the discussion back to HIPAA, which is OCR’s realm, OCR suggested that covered entities and business associates need to be especially vigilant. Healthcare information is particularly sensitive and there is an obligation to ensure access. For example, OCR suggested that covered entities and business associates regularly backup data to minimize the harm from losing a portion of data, ensure that all software and viruses fighters are up to date, and otherwise implement browser and email protections. As G.I. Joe used to say, knowing is half the battle.

The second threat, tech support scams, is another risk similar to ransomware. In a tech support scam, the bad actor claims to be technical support and will talk a user into granting access to the user’s computer and in turn a connected system. Once trust is gained and access granted the game is over. It is important to not blindly trust others, especially when it comes to network systems. Unknown actors should not be allowed access or otherwise enabled to log into a system, ever. The greater number of touch points for computer support just creates more opportunities for this type of attack though. Additionally, the increasingly remote nature of tech support also makes users more susceptible because there is an expectation of outside support. In light of this reality, it is necessary to question someone who asks to access a computer before doing anything.

The third item in OCR’s email identified a new scam tracking resource from the Better Business Bureau. The tracker identifies scams and enables self-reporting and information sharing. In this instance, it is beneficial to collect information from a variety of actors. Anyone can report a scam, which makes it a true crowd-sourced resource. Being able to find out about scams in essentially real time provides a great benefit for many.

If OCR continues to produce similar monthly emails, it will represent a pretty good educational resource. Hopefully the emails will keep coming. Cybersecurity and relatedly cyber-awareness are certainly hot button topics and on the forefront on many minds. Taking a HIPAA based focus to the discussion is good for the healthcare industry. Hopefully, it can help dispel the myth (or truth) that healthcare is deficient and behind when it comes to security. As always, only time will tell.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.