Risk From Many Sources
Using cybersecurity to protect PHI is a key feature of HIPAA. Electronic protected health care information or EPHI is at increased risk from many sources:
- Foreign hackers looking for data to sell – usually on the dark web
- Ransomware attacks that lock up data until a ransom payment is received
- Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
- Spear phishing –a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds.
What You Can Do
In order to safeguard EPHI against threats:
- Firstly, know how to spot phishing emails.
- Secondly, use strong passwords, two factor authentication and encryption.
- Finally, have policies, procedures and safeguards in place to protect EPHI and Know who to report an incident to in your organization.
Prepare for Cyberattacks
In the case of a cyberattack or similar emergency an entity must:
- Execute it response and mitigation procedures and contingency plans.
- Report the time to other law enforcement agencies.
- Should report all cyber threat indicators to federal and information-sharing and analysis organizations.
- Finally, it must report the breach to OCR as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.
Most importantly, OCR considers all mitigation efforts taken by the entity during in any particular breach investigation. For instance, such efforts include voluntary sharing of breach-related information with the appropriate agencies.
Above all, remember in the event of a cyberattack it is critical to comply with breach reporting requirements.
Finally, using cybersecurity to protect PHI remains the cornerstone to protecting all ePHI which all organizations should address in today’s healthcare climate.
This is your HIPAA ABCs brought to you by HIPAA Associates. Contact us for more information on this important topic. Follow us on Facebook and Twitter.