According to the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR), the number of cyberattacks against the health care industry has increased in recent years. Specifically, hackers are targeting electronic protected health information (ePHI), with the number of hacks involving such information that impacts 500 or more people has risen 46 percent from 2019 to 2020, the OCR says.
In a recent newsletter, the office adds that most security breaches involving such information could either have been prevented or their impact lessened if those targeted followed HIPAA Security Rule requirements to prevent the most common types of cyberattacks. Here is a quick summary of the OCR’s list of common cyberattacks and how to prevent them:
1. Phishing
This type of attack involves tricking people via email or other electronic communication into revealing sensitive information such as passwords by pretending to be a colleague or other trusted individual. The OCR notes that 42 percent of cyberattacks in the second quarter of 2021 involved phishing.
Prevention Tip: Ensure all employees are aware of their role in protecting the security of the organization as well as what phishing is. Make sure staff are trained in how to prevent phishing and the steps to follow if they are sent suspicious emails. Organizations should have a training program in place and conduct follow up training on a regular basis.
2. Exploiting Known Vulnerabilities
As you might guess, this type of cyberattack involves hackers taking advantages of publicly known weaknesses in organizations’ information technology infrastructure. Examples of such vulnerabilities can be found in device operating systems, web, database and application software, firewall, router, and other device firmware.
Prevention Tip: Organizations should stay up-to-date on the latest known vulnerabilities via the
National Vulnerability Database maintained by the National Institute of Standards and Technology and follow alerts on newly discovered vulnerabilities. Upgrading or installing patches to fix such vulnerabilities is also critical and any older or obsolete devices that can’t be patched or upgraded should be replaced. Implementing a security management process is also essential.
3. Weak Cybersecurity Practices
These involve cyberattacks targeting organizations that don’t follow cybersecurity best practices. Weak cybersecurity practices include easy-to-guess passwords or passwords that don’t require two-factor authentication. According to the OCR, over 80 percent of hacks involve cyberattackers using either “brute-forced” or compromised credentials to gain access to sensitive data.
Prevention Tip: Implement best practices for creating strong passwords as well as an authentication process to confirm the identity of those seeking access to sensitive health information. Put proper access controls in place so only those that need access to ePHI are granted it. Regular evaluations of the organization’s cybersecurity practices also help identify and correct any lapses.
More information on avoiding cyberattacks can be found in the “
OCR Quarter 1 2022 Cybersecurity Newsletter.”
Helpful Sources of Cybersecurity Alerts Recommended by the OCR
https://www.cisa.gov/uscert/ncas/alerts
https://www.cisa.gov/uscert/ncas/bulletins
https://www.hhs.gov/about/agencies/asa/ocio/hc3/contact/index.html
