Preventing a data breach can feel like a daunting task. However, a well-educated staff is your first line of defense. Although nothing is failsafe, there are many things you can do within your practice to prevent a data breach. We covered this last year, but I thought it might be time for a reminder with the latest breach from Change Healthcare.
Hacking/IT incidents remain the largest category comprising of 77% of the reported breaches. Network servers continued as the largest category by location for breaches involving 500 or more individuals at 58% of reported large breaches.
If you would like to review the list of breaches, click here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Many of these start from an unsuspecting employee that clicks on link or shares information before it has been verified. Most attacks begin from a phishing email, text, or a visit to a website. Once this occurs, then many times you are infected with a virus, malware, or ransomware. When this happens, your systems may be frozen, and a DOS (denial of service) begins. Let’s review how to prevent a data breach:
Emails:
What does a fake email may look like? First, they are going to look “real” until you take a closer look. Pay attention to the “from” email address. This is the most common place to start. Most email addresses will have a name you are familiar with, but the URL will be different. For example: sally@email.bankofamerica.com. So, look for anything that is “slightly” different. Then, if they want to click on a link, hover over the link to see if it is really for what they are proposing. I received an email from my “bank” asking me to “Finish the Do-To-List”. I knew I hadn’t started any such list and I hovered over the link. It was to a completely different website. I reviewed the message details and looked up the IP address, it was from Spain. My bank is not in Spain! If you would like to learn more about reading your message details, reply to this email.
Text Messages:
Text messages are somewhat the same. Look at the top of the message and review who it is from. Most of these will either be from a phone number or an email address that is not from the actual company. NEVER click on any link or call the number in the message. If you receive a message about a purchase and it states you must click to decline, DON’T! Call your bank or credit card company to verify. You must be very diligent with these messages; they try to spoof your bank or card company’s email address by adding something like this: stop@fraud.bankofamerica.com.
Websites:
Websites can be infected with malware, a virus, or redirect the information you enter. Again, it is very important to look at the URL closely before entering any credentials. When visiting unknown sites, you take the risk of being infected. This is difficult to comprehend since we all like to “surf” the web. Many recipe sites have been known to have malware since people do not maintain security on older sites. If you are going to surf, you MUST have very good anti-virus / anti malware software. I am currently using Bitdefender Total Security. When I try to go to a website and the credentials of the site do not match, my software will NOT let me go to the site unless I enter my password for my software. Your IT vendor may utilize something like this. Websites that have not been maintained or have been hacked can present all kinds of problems. Preventing a data breach means that staff members should NOT use their work computers for surfing!
Man-in-the-middle:
Another type of threat is when information is intercepted without a person knowledge, this is commonly referred to as the “man in the middle”. When a person uses a public wi-fi system, a nefarious character can spoof a legitimate connection and steal information. Depending on the type of activity, a virus or malware could be placed on the device and brought back into the office. This could in turn infect your network.
Zero-day attacks:
Then, there are zero-day exploits that happen when hackers uncover a vulnerability in a system and attack. These are usually widespread and can be all over the world. Developers must work fast to create a patch to correct this deficiency. In the meantime, your systems could be down or destroyed. This is why it is critical to maintain a backup that is not connected to your network.
Ransomware attacks are a real problem and not just for healthcare but for everyone. It has gone up 70% in just one year. Think about losing everything on your business network or your home computer. It happens, so all these recommendations are for your personal use as well.
The Office for Civil Rights (OCR) released their breach report to Congress, below are a few highlights.
The “OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”
The HHS 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received. Some highlights include:
- OCR received 30,435 new complaints alleging violations of the HIPAA Rules
- OCR resolved 32,250 complaints alleging violations of the HIPAA Rules
- OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one complaint investigation with a civil money penalty in the amount of $100,000
- OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
