Healthcare Provider Cyber Defense Tips Pt. I

Each week, several new reports emerge of significant healthcare facility and patient data exposures due to healthcare cybersecurity vulnerabilities. To help providers stay on the defense, we’ve compiled a two-part series on cyber attack preparedness.

  1. Who gets targeted most- A recent study from Proofpoint found that lower-level employees are more likely than executives to be targeted by email phishing campaigns. Such employees often wait for IT to discover and report phishing links or malicious downloads instead of reporting suspicious activity themselves. Beyond this, generic functional email, such as helpdesk@(hospital name).com, is the fastest growing category for attacks. Hospital employees should watch what they access on their off time as well. Fraudulent social media support account phishing was up 442% over the previous year.

  2. Stay on top of new tactics- We all hear about phishing, but there are other cyber threats including smishing. Smishing is when a SMS text message has a fraudulent link. The recipient reads the text notification, such as payment reminder or meeting invitation, to click the link and/or enter private information. Attacking a healthcare employee’s phone may initially impact personal accounts and profiles, but exposure likely spreads into corporate accounts and facility data from the same device.

  3. When to report an attack- Under HIPAA, healthcare providers and business associates, including third-party vendors, must report unsecured protected health information breaches within 60 days of discovery. That means 60 days after first notice, not after the end of an investigation. The healthcare organization must offer a toll-free phone number for at least 90 days to individuals to call to learn if or how their information was involved in the breach.

  4. Be cognizant of current industry breaches- As required by section 13402(e)(4) of the HITECH Act, a list of unsecured protected health information breaches affecting 500 or more individuals must be public. The Department of Health and Human Services Office for Civil Rights maintains an active list of breaches reported within the past two years, which you can break down by type of breach, location of breach (desktop, laptop, paper, EHR, network server, email or portable device), type of healthcare entity, or facility name search.

From new attack tactics and targets to current industry breaches, use this information to keep your organization and peers safe from lurking cyber threats. Check back soon for part II of this cybersecurity series.