Should Cybersecurity Be Part of Regular HIPAA Compliance Training?

With data security breaches on the rise, it begs the question. Should healthcare providers prioritize cybersecurity training alongside HIPAA privacy and security?  

We are living in an era where privacy or safety of information online cannot always be guaranteed. Healthcare entities have suffered enormous losses from data breaches in 2020. And most of the reported data breaches account for cybersecurity-related incidents. 

In fact, from January 2020 to November 2020, 79% of breaches reported in healthcare have been linked to cybersecurity. And the volume of cyberattacks has increased from November 2020 to January 2021 by 45%. It is an alarming concern for healthcare professionals.

Why is healthcare the largest target?

The healthcare industry has been the prime target for cybercriminals for quite some time now. Healthcare data is highly sought after because they contain highly-valuable information about individuals, such as social security numbers, financial information, DOBs, names, insurance details, and many more. This information can be sold for up to $362 on the black market, according to the InfoSec Institute. Cybercriminals also use this information for fraudulent billing and to gain many other personal benefits. 

You cannot just stop using the internet to protect your organization from cyber-attacks. Today, millions of health data are being shared across the internet, and millions of people, including doctors and nurses, use the internet for various purposes, including activities dealing with PHI (Protected Health Information). This makes organizations prone to hacking attempts, as the data is present online, albeit the secured walls. 

Encouragement for solid cybersecurity practices

Just very recently, the U.S. has taken the initiative to improve cybersecurity in healthcare. Healthcare providers victimized by series of cyberattacks could face lessened penalties and enforcement actions.

A new bill, known as the HIPAA Safe Harbor (H.R. 7898), has been signed into law by President Trump on January 5, amending the HITECH Act. 

This change could help covered entities and business associates defend against HIPAA investigations if they employ appropriate cybersecurity practices. The law aims to incentivize healthcare providers for industry-standard best security practices by reducing fines and shortening the extent of audits. 

However, this law does not guarantee healthcare providers to avoid all liability. Instead, these providers can shield themselves against substantial fines or reduce the length of an audit.

The Office for Civil Rights (OCR) must now take into consideration the cybersecurity measures that were in place 12 months prior to the breach before issuing fines and enforcement actions. This will only be applicable if an organization has adopted and followed strong cybersecurity practices recognized by the legal authorities in advance.

Who needs cybersecurity training?

In short, everyone. In today’s highly digitally-engaged environment, anyone who uses a computer for company business must know how to keep the company data safe. We take computer security systems for granted today. But in addition to increased volume, cyberattacks have become more sophisticated. 

The importance of cybersecurity training in the healthcare industry cannot be more emphasized. Although a few providers do include cybersecurity as part of their HIPAA Security training, the vast majority of them do not provide any training related to cybersecurity. 

According to a Kaspersky report, nearly a third of surveyed healthcare employees (32%) claimed they never received cybersecurity training from their employer. What’s more, 1 in 10 managers was not aware that their company had a cybersecurity policy. And about 40% of healthcare workers in the U.S. had no idea about the cybersecurity measures that protect IT devices in their workplace. 

HIPAA Compliance and Cybersecurity

Most data breaches in recent times stemmed from cybersecurity-related incidents. And unfortunately, healthcare providers who were the victims of such attacks were charged with HIPAA fines. A strong indication that HIPAA compliance and cybersecurity are two sides of the same coin. 

Cyberattacks are often unavoidable. But it is possible to reduce the consequences or the likelihood of breaches with proper training and implementation. If you lack the right tools and resources, find third-parties who have expertise in cybersecurity and training to help you out in this area. Or you might as well utilize HIPAA compliance software as some major providers do. 

Including cybersecurity as part of your HIPAA Security training is essential. Especially now that the healthcare industry has become more reliant on IT devices and internet connectivity due to the COVID-19 pandemic, making data security more vulnerable than ever. 

With proper training, employees will be aware of some of the cyber threats they may encounter on a daily basis. A few key areas to focus on could include:

  • Fostering a culture of security
  • How to protect mobile devices
  • Encouraging employees to use unique passwords and change them periodically
  • How to respond when the unexpected happens
  • Controlling access to protected health information
  • How to recognize hacking attempts, phishing attacks, ransomware, and malware.
  • Encouraging employees to maintain and update their antivirus software
  • How to maintain good computer habits

Your defense is only as strong as your weakest link

Often, your employees are the weakest link of your organization’s security. Hence, it’s your responsibility to provide them with the right knowledge so that they can apply it to your organization’s security and ensure compliance. If you have too much on your plate, make use of HIPAA compliance software to streamline training. You should not leave any excuses behind if you experience a breach. 

The HIPAA Safe Harbor law could not have come at a better time. Not only will you be able to defend against an audit or investigation, but you will also be able to reduce the likelihood of damaging cyberattacks if you only employ proper security practices.