HIPAA regulations have been part of the security landscape for more than two decades. But the way electronic personal health information (PHI) has been stored and shared has changed dramatically in recent years, even more so because of the COVID-19 pandemic. While the U.S. Health and Humans Services’ Office for Civil Rights (OCR) gave providers some enforcement discretion to support telemedicine and vaccination scheduling, those “good faith” passes are expiring, and anyone dealing with PHI needs to double down on cybersecurity. While we were all on a bit of a pause during the COVID pandemic, the threat actors were still hard at work looking for ways to exploit healthcare providers to obtain PHI.
OCR is updating the cybersecurity framework for ongoing HIPAA compliance. We’ve been active in making recommendations, as working with health care providers is a core part of Tego’s business.
As we exit the pandemic, there are four keys to reducing risk now:
- Educate employees continually to avoid phishing-related breaches.
- Secure mobile devices that were allowed for the first time during the COVID crisis.
- Back up data appropriately to dampen the impact of a ransomware demand.
- Take a sophisticated approach to rapidly accepting and applying patches.
Why Security is Getting Harder
Zero-day vulnerabilities are becoming more common. Threat actors are everywhere, with some rogue organizations existing solely to make money through breaches. It’s a trillion-dollar industry. Importantly for healthcare organizations, breach notifications are required, with some states going beyond what the federal government requires. While it is important to complete breach notification, the news will be detrimental to trust relationship with clients and business associates alike.
So, what can you do about it?
Education is critical – It can’t be stated enough. Staff need to understand how phishing attacks work and how to avoid them. The bad actors constantly change their methods. As part of cybersecurity efforts, healthcare providers must build a culture of security.
Mobile devices can introduce risk – After the shift to remote work during COVID, companies often made it easier for employees to log in from anywhere on any device. Security was an afterthought. Organizations need to assess the vulnerabilities and secure information traveling to and from these devices.
Take some of the sting out of ransomware attacks –Even organizations who are cybersecurity resilient are at risk. Backing up and storing data securely is a must so your organization can remain up and running. The majority of incidents we see stem from ransomware attacks.
Re-engineer your approach to patches – To stay on top of the patches that software vendors send out, embrace a change management approach that ensures effective deployment while minimizing downtime. IT teams also need to understand what to do when a zero-day vulnerability occurs for which there is no patch.
A great way to reduce risk is to look for security audit and compliance tools that help assess the individual vulnerabilities of your organization’s environment. A good set of tools will help with the change management element of deploying patches.