All companies must take steps to prevent cyber-attacks and data breaches, but in healthcare this is especially important. Cybercriminals are targeting healthcare organizations to gain access to protected health information – Full sets of health records, especially those containing Social Security numbers and health insurance information, carry a high price on the black market.
Healthcare providers are heavily reliant on electronic data, access to which is needed for healthcare operations and to provide quality care to patients. Cybercriminals are well aware that preventing access to data causes considerable disruption. By infecting servers and networks with ransomware, they can extort money from providers. Ransomware attacks on healthcare providers have soared in recent years as healthcare providers are seen as easy targets with a higher than average probability of a ransom being paid.
The HIPAA Security Rule requires covered entities and their business associates to implement technical safeguards to ensure the confidentiality, integrity and availability of PHI. Suitable technical safeguards include firewalls, spam filters, web filters, intrusion detection systems, endpoint security systems, and antivirus software. While these controls can help to prevent cyber-attacks and detect them quickly when they do occur, they are not 100% effective, especially with respect to phishing attacks.
Research conducted by the security awareness and anti-phishing solution provider Cofense suggests 91% of all data breaches start with a phishing email. Phishing emails target a weak point in security defenses: Employees. Why go to the trouble of trying to identify a chink in an organization’s technical armor and finding a way to exploit that vulnerability when a simple phishing email can be sent to an employee? That email can be used to install malware or fool the employee into handing over their login credentials.
To defend against phishing attacks (and web-based threats) employees need to be taught security best practices. Security awareness training provides employees with the skills they need to identify threats and shows them how certain behaviors can easily result in a data breach. Cofense research also suggests that security awareness training and phishing simulations can reduce susceptibility to phishing attacks by up to 95%.
Security awareness training is not only a best practice. It is also a requirement of the HIPAA Security Rule, specifically, the administrative safeguards covered in 45 CFR §164.308(a)(5)(i). This standard requires covered entities to “Implement a security awareness and training program for all members of its workforce (including management).”
Security awareness training must be provided to all new and current staff, with further training provided when there are environmental or operational changes that affect the security of ePHI. There are four implementation specifications under this standard: Security reminders, protection from malicious software, log-in monitoring, and password management.
The frequency of training is open to interpretation but should be guided by an organization’s risk analysis and risk management processes. The higher the risk, the more often training and security reminders should be provided. Many healthcare organizations choose to provide security awareness training once a year; however, given the frequency of attacks and the changing tactics used by cybercriminals to gain access to data this is no longer sufficient.
OCR tackled the issue of the frequency of security awareness training in one of its recent cybersecurity newsletter and suggests that biannual training works well for many healthcare organizations.
OCR suggests that in addition to biannual training, many healthcare organizations have found sending out monthly updates on security issues helps to keep the workforce well informed of security threats. This also satisfies the requirements of 45 C.F.R. § 164.308(a)(5)(ii)(A) – security reminders. These reminders can contain details of new and current threats and address specific areas of security awareness.
Combine anti-phishing and security awareness training with phishing simulations and security alerts and healthcare organizations can ensure compliance with the security training requirements of HIPAA and ensure they have comprehensive and robust defenses against cyberattacks.