Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). PHI is individually identifiable information that relates to the past, present, or future health of an individual or payment for healthcare. The security safeguards are detailed in the HIPAA Security Rule and compliance is enforced by the Department of Health and Human Services’ Office for Civil Rights and state Attorneys General. When there is a data breach involving PHI, OCR investigates. Investigations are also commonly conducted by state attorneys general to determine if a data breach was the result of a failure to comply with HIPAA.
OCR and state attorneys general understand that it is not always possible to prevent data breaches. Many data breaches are reported each year that are investigated, and the cases are closed because the covered entities have implemented appropriate security measures, only for them to be bypassed. However, when insufficient measures are put in place to safeguard PHI, financial penalties are typically imposed.
The HIPAA Security Rule does not provide a list of security measures that must be implemented to block phishing attacks, as HIPAA was developed to be flexible. HIPAA-covered entities should conduct a risk analysis and reduce risks to a low and acceptable level using a range of measures and by adopting recognized security practices. HIPAA specifies access controls as a security safeguard, which involves the use of strong passwords and ideally multifactor authentication. HIPAA-covered entities must also stay abreast of recently disclosed vulnerabilities and make sure that patches are applied and software is updated to the latest version. The HIPAA Security Rule also calls for security awareness training to be provided to the workforce, and while the frequency of training is not specified, OCR has explained in its cybersecurity newsletters that the program should cover new and current threats and that the training program should be continuous, rather than providing a once-a-year training session.
Recently, Avalon Healthcare, a provider of skilled nursing and assisted living facilities, discovered that the failure to implement appropriate defenses to block phishing attacks is grounds for a financial penalty for non-compliance with the HIPAA Security Rule. After being notified by Avalon Healthcare that email accounts containing the PHI of 14,500 individuals had been accessed by unauthorized individuals, the Oregon and Utah Attorneys General launched an investigation to determine whether non-compliance with the requirements of HIPAA was a factor. The investigation was triggered by a very late breach report, which was 10 months after the phishing attack was detected when data breaches must be reported within 60 days. In addition to determining that the delay violated HIPAA and state laws, the investigation revealed a lack of security safeguards for combatting phishing.
Avalon Healthcare chose to settle the case and paid a $200,000 financial penalty and agreed to adopt a comprehensive information security program that includes email filtering and training for all members of the workforce on phishing and social engineering identification and avoidance, including conducting phishing simulations on the workforce. Had a comprehensive training program been in place, it is possible that the phishing attack would have been detected and avoided.
TitanHQ understands the importance of providing training to the workforce which is why a security awareness training solution has been added to the product portfolio. SafeTitan is a comprehensive training solution for businesses of all sizes that covers all aspects of security, including training employees to recognize phishing, social engineering, and other cyber threats. The platform also includes a phishing simulator for creating and automating phishing simulations on the workforce. SafeTitan security awareness training and phishing simulations have been shown to reduce the susceptibility of the workforce to phishing attacks by up to 80%, and will help to ensure that HIPAA-regulated entities comply with the security awareness training requirements of the HIPAA Security Rule.
If you do not currently provide ongoing security awareness training to your workforce, contact TitanHQ to find out more about the difference this will make to your security posture and how easy it is to provide training through the SafeTitan platform. Like all TitanHQ cybersecurity solutions, SafeTitan is available on a free trial to allow businesses to see for themselves how easy the platform is to use.