OCR Issues Guidance on Targeted Ransomware

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

We Are All Affected by Bad Cyber Health
Pay attention, the health of your business depends on it.

Wherever you fall in the food chain of the healthcare industry, cybersecurity needs to be at the forefront of your mind. That might mean you are a small doctor’s office with a few patients, a large hospital, a technology company that supports healthcare clients, or many things in between. If healthcare is part of your success, you are a target to hackers.

This Goes Beyond HIPAA
Your world of “compliance” needs to extend outside of making sure that you fall into line when it comes to HIPAA rules and regulations. Those standards will assist you should a breach occur – and may even shine a light on areas of weakness within your business structure, but HIPAA compliance does not mean you are protected from a cyber-attack. The Office for Civil Rights (OCR) recently released insight into the threats and mitigation methods in their newsletter that emphasize this further.

Recognizing that ransomware attacks have not been on the downslope for some sectors, the healthcare industry remains a constant and increasing target. The reason for this may be because patient information is needed on a regular and ongoing basis, thereby making the likelihood of demands being met quicker, more likely. Not to mention the array of information that can be obtained about individuals in a healthcare breach. Healthcare tends to be lacking when it comes to updated equipment and processes, making them an easy target to hack. Human error in large environments is more likely, and smaller environments feel less threatened, mistakenly assuming that their businesses do not hold valuable data. Any data is valuable today.

These attacks are not as immediate and obvious as they once were. And they are much more tailored to target their victims. They have been found piggybacking into systems through ransomware, often going undetected for a while. Phishing also remains an easy entry point via unsuspecting or untrained employees. The hacker can remain within a system for enough time to assess the structure and hit where it will hurt a business the hardest.

OCR recognizes that having a solid HIPAA plan can help prevent, mitigate and recover a business if it is in place and monitored on an ongoing basis. This means that as a business owner, office administrator, IT provider, etc. you need to ensure that you are regularly maintaining both a robust cybersecurity and HIPAA compliance program.

Like any good doctor will tell you, an ounce of prevention can go a long way.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next.