At Catto & Catto, we build personalized insurance solutions that go beyond product delivery. This month, we partnered with ACP Technologies for an informative seminar to provide perspective and solutions on growing cyber security risks.
Challenges for Protecting Your Data
Protecting data is a challenge. With increased HIPAA laws and enforcement, meaningful use incentives, EHR technology implications, and growing cases of mass-scale breaches, the risks have never been higher to protect your data, your customers, and your company.
A new data breach rule established in 2013, the HIPPA Omnibus Rule, establishes the data security concept of “guilty until proven innocent.” Companies are assumed at fault until proven there has not been a security leak. Business associates are now directly regulated by HIPAA, and covered entities are still liable for actions of business associates.
You are responsible for the data you have stored, which can be located in emails, servers, accounting systems, workstations, cloud servers, management systems (EMR/EHR), and filing cabinets. The risk is real, so education and prevention are vital to avoid ending up in the news for a costly data breach.
The Cost of Negligence
Over 1.7 million health records were leaked in 2012. The largest HIPAA violation fell on the Utah Department of Health, whose server was hacked and released 780,000 records. Emory Healthcare misplaced their 10 backup tapes and breached 315,000 health records. At South Carolina HHS, an employee sent PHI that was unencrypted from a personal email account and was responsible for 228,000 health records breached.
The penalties, destruction of company trust, and millions in fees are sobering reminders of situations that could be avoided. Somehow, 59% of businesses still lack a security incident response plan.1 The costs? The average liability per PC Is $48,843.2
What to Look For
The most common security breach is with a social engineering scam via email. You have probably received an email that appears to be from a trusted sender, like Amazon, with a gift card, request to reply, or link to follow to claim a gift or verify personal information. Look for these signs that the email is a fake:
- Is the email FROM address valid? Check the domain and verify with information on the real company’s website or past valid emails you’ve received from the company.
- Is the greeting personalized (ex. “Hello Stanley,”)? Many spam emails will contain generic greetings or pull text from your email address to make a best guess at your name.
- Are the links pointing to where they appear to point? Often times, spammy emails will contain links that direct you to follow, but the text of the link isn’t actually where the link would send you when you click. Try hovering over a link without clicking to preview where the link would send you.
Be wary of fake Windows technical support calls that ask for company or personal information. Before divulging any sensitive information, verify the caller or end the call and call the company directly.
Look out for Ransomware as well; its use is spiking in the healthcare industry. Ransomware is a type of malware that restricts access to the infected computer system and demands that the user pay a ransom to remove the restriction.3
Prevention
Most security incidents are due to employee errors; the number one prevention tactic is proper training. An educated user is a safe user, so be sure to appropriate enough budget to training departments. It will pay off in the long run.
Enact security in layers, such as:
- Regularly scheduled software and system updates
- Managed virus protection
- Firewalls
- Email spam filtering
- Saved data monitoring
- Cyber liability insurance
- Beefed up IT budgets (5% of revenue for health care companies)
We encourage all our healthcare clients to arrange a comprehensive HIPAA security risk assessment and a network security risk assessment. Once you have action items from those assessments, you can move toward protecting against deficiencies and setting up long-term protection standards. We’re here to help along the way.
Many thanks to Kenneth Uptain at ACP Technologies for his valuable cyber security insight. For more information on ACP and completing a network security risk assessment, visit acp.us.com or contact him directly at 210-981-1398 ext. 2030.
Sources:
1 Staysafeonline.org
2 Max Focus
3 Wikipedia