06.13.2019

3rd Party Security Breaches Are Surging. You Can Transform Your Risk Management Program.

Security breaches caused by healthcare providers’ business associates (BAs) are surging. Several major incidents in 2018, some of which have just been reported in the last month, have compromised over 20 million patients’ privacy. So it’s not coincidental that a group of major hospitals and hospital systems have come together in a formal concerted effort to provide better vendor risk management standards to the industry. The crucial task of individually vetting and contracting with hundreds, even thousands of business associates (per institution), which is the norm — and then managing their service levels for security has become a near-impossibility for many hospital security staffs.

Maybe this challenge seemed logical to OCR’s Department of Health and Human Services in 2013 when it expanded HIPAA regulations to include greater business associate liability for breaches. But with the explosion of outsourcing to digitally-founded BAs since then, Chief Information Security Officers have found their jobs unmanageable — to the detriment of patients’ privacy and hospitals’ systems security. The Provider Third-Party Risk Management Initiative aims to change that.

(more…)

05.30.2019

HIPAA Breaches 2019 Style: More Than Ever With No Relief in Sight

The Wall of Shame must be dripping with guilty tears. The Office of Civil Rights has just reported more data breaches than in any other month since the Department of Health and Human Services started recording healthcare data breaches in 2009. In April, 46 healthcare data breaches were reported — a 48% increase from March and 67% more than the average number of monthly breaches in the last six years. The only mild comfort is the number of actual healthcare breaches in April was only(!) 694,710 — a 24% reduction from March. That’s still a LOT of patient information!

What has caused the enormous increase in breaches?  A major rise in phishing, IT hacking, and ransomware attacks, mostly within many providers — but also within six payors. Only three breaches included business associate involvement, although one business associate breach of 206,695 patient records was the largest breach of the month. Here’s what you should know to better understand how your organization may need to beef up its precautions.

(more…)

05.16.2019

Even in 2019, Your Staff is Still a Cyber-Security HIPAA Risk. Here Is Some Free Help.

Our healthcare industry has become the largest target of all sectors for hackers primarily because of the huge volume of personal information that they can collect. Our personal information, our organization’s financial data, and especially the health and personal information of our patients offer a treasure trove for online profiteers. There’s another big reason why healthcare gets hit so often: many organizations still lack adequate policies, procedures, or resources to optimize employees’ monitoring activities and ensure privacy and security.

We’ve developed a brand new downloadable, printable high-resolution infographic to support healthcare organizations in persuading staff to consistently take precautions against cybersecurity risks created by external bad actors.

(more…)

03.8.2019

Hospital Cybersecurity 2019: Seven Essential Leadership-Level Strategies

Dangerous cybersecurity attacks have become a sweeping problem across our healthcare industry, with most hospitals having experienced not one or two, but many threats in the last three years. It wasn’t that long ago when the most common perpetrator of security breaches was a negligent employee. But the majority of threats now are from cybercriminals and other malicious actors, according to the 2019 HIMSS Cybersecurity Survey published last month. The good news is that many hospitals have conceded that these risks are not going away and are investing in tenacious battles against cybercrime. We’ve gathered data from a variety of hospitals detailing innovative and aggressive strategies they are using to minimize if not eliminate significant security incidents.

(more…)

02.21.2019

Your Mobile Device is a Security Risk! Discover Simple, Surprising Fixes.

At least 80 percent of Americans use smartphones and/or tablets, creating a digital frontier that is rife with cybercriminal activity. Worse, healthcare workers are subject to special risks of HIPAA violation if they use their devices to store or transmit protected health information of patients or access their hospitals’ networks, EHRs, and other computer systems. Cybercriminals now target mobile devices almost as much as desktops… IOS, Android, it doesn’t matter…and too many users do not use preventative measures that they take for granted with their desktops. In this post, we discuss the security risks of mobile device usage and offer a simple, informative new downloadable infographic learning tool suitable for printing and posting in your workplace.

(more…)

01.16.2019

Record Numbers of Phishing Attacks Are Succeeding. Stop Being Such Tasty Bait.

Phishing attacks, at an all-time high in 2018,  continue to pelt healthcare organizations, gaining access to invaluable patient data and personal information of staff members. Social Security numbers, credit card and bank data, logins, driver’s licenses, medical histories, and even digital signatures — is grabbed and used to make illegal purchases or otherwise commit fraud. Mobile devices have morphed into profitable new opportunities for criminals executing phishing attacks, as identifying and blocking mobile-based phishing attacks is especially difficult for both individuals and employers’ current security technologies. These exploits create entry-ways into entire hospital computer networks and wreak broadscale havoc. Phishing accounts for nearly 40% of hospital security breaches (HIMSS), and end-users are the number one enablers when they are negligent or so hoodwinked by criminal “social engineers” that they break proper security procedures.

Regular education of all end-users is a must today for all healthcare organizations and their business associates. Frequent reminders help keep the ball rolling. As a small contribution to the cause, we’ve developed a free infographic poster with key tips on avoiding common phishing ruses. Print it (scalable up to 18 X 24), and post it!

(more…)

09.20.2018

Managing the HIPAA Risks of Outsourcing to Business Associates

Today, most hospitals count on external outsourcing services for a myriad of essential functions like revenue cycle management, health information management, IT support, data storage and security, housekeeping, and many other clinical and non-clinical functions. Many of these partners are business associates under HIPAA — and therein lies major potential security risks for hospitals. Relationships with diligent, qualified business associates have proven to be a boon to hospitals’ service quality and cost efficiencies. But data security and privacy breaches either caused by business associates or enabled by their deficiencies have exploded in recent years.  Every hospital and healthcare organization must protect itself through a well-defined and enforced business associate management program. Here’s what you need to know — plus a great infographic to summarize this critical issue.

(more…)

08.22.2018

Healthcare Phishing Attacks Are Succeeding. Let’s Stop Being Such Tasty Bait.

Phishing attacks continue to pelt healthcare organizations, successfully gaining access to invaluable patient data and personal information of staff members. This information — Social Security numbers, credit card and bank data, logins, driver’s licenses, medical histories, and even digital signatures — is typically used to make illegal purchases or otherwise commit fraud. These exploits also create entry-ways into entire hospital computer networks and wreak broadscale havoc. Phishing accounts for nearly 40% of hospital security breaches (HIMSS), and end-users are the number one enablers when they are negligent or so hoodwinked by criminal “social engineers” that they break proper security procedures.

Regular education of all end-users is a must today for all healthcare organizations and their business associates. Frequent reminders help keep the ball rolling. As a small contribution to the cause, we’ve developed a free infographic poster with key tips on avoiding common phishing ruses. Print it (scalable up to 18 X 24), and post it!

(more…)

08.7.2018

Cybercrime 2018: Most Hospitals’ IT Security Is Still Not Enough

Have you noticed? We haven’t read shocking news of record-breaking security breaches, in fact not since 2015-2016. Remember Bon Secours Health System where the information of 655,000 patients was compromised via the internet? Or the breach at 21st Century Oncology Holdings that hit more than two million patients across 181 cancer treatment centers? A cyber attack on Banner Health affected 3.6 million people, and NewKirk Products, a business associate, was hacked to the tune of 3.5 million affected individuals. According to HHS’ Wall of Shame, over 113 million people were hit in 2015 by breaches of their personal data, and in 2016 more than 27 million patient records were impacted. But, in the whole of 2017 “only” about 4.7 million people were victimized, a four year low.  This may seem like good news, but before we get too comfortable with our seemingly safer data security today, here’s the story behind the story —  and it isn’t pretty.

(more…)

05.30.2018

New Infographic: Risks of HIPAA Business Associate Relationships

Last week, we published a blog post about the importance of hospitals’ establishing and monitoring Business Associate Agreements with contractors who touch protected health information (PHI). Most hospitals and other HIPAA-covered entities, e.g. payors, physician practices and pharmacies, outsource a myriad of services for better, cost-effective operational results. Many of these services “touch” PHI, e.g. transcription services, revenue cycle managers, IT support and many other clinical and non-clinical functions. They are deemed HIPAA business associates (BAs) as of the 2013 Omnibus HIPAA Rule, and are accountable (think fines and even prison time) for PHI breaches. Many hospitals and their contractors still don’t know this or just aren’t on top of this issue. Read on for our newest infographic that simplifies the risks of HIPAA business associate relationships.

(more…)