Healthcare data security is an important element of Health Insurance Portability and Accountability Act Rules. The HIPAA Security Rule requires covered entities to assess data security controls by conducting a risk assessment, and implement a risk management program to address any vulnerabilities that are identified.
HIPAA-covered entities must also implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.
With cyberattacks on healthcare organizations on the rise and cybercriminals developing increasingly sophisticated tools and methods to attack healthcare organizations, healthcare data security has never been more important.
Further, the Department of Health and Human Services’ Office for Civil Rights has increased enforcement of HIPAA Rules and settlements with covered entities for violations of HIPAA Rules are being reached at a greater rate than ever before.
OCR is also conducting audits of covered entities to assess compliance with HIPAA Rules and the technologies that have been implemented to improve healthcare data security. Organizations found to have done too little to improve the security of their networks and data are at risk of significant regulatory fines.
Our healthcare data security category contains articles relating to the HIPAA Security Rule and the controls that HIPAA-covered entities can apply to protect the privacy of patients and safeguard data.
You will also find articles covering new guidelines issued by federal regulators on securing medical and IoT devices, protecting ePHI in motion and at rest, details of cybersecurity frameworks, Information Sharing and Analysis Centers (ISAOs), and the latest technology that can be adopted by healthcare organizations to improve their security posture.
News items also feature in this section relating to new vulnerabilities that could potentially be exploited by malicious actors to gain access to healthcare networks and information on the latest scams, social engineering and phishing campaigns targeting the health care data
May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach. Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has changed...
A phishing campaign has been identified that uses fake VPN alerts as a lure to get remote workers to divulge their Office 365 credentials. Healthcare providers have increased their telehealth services during the COVID-19 public health emergency in an effort to help prevent the spread of COVID-19 and ensure that healthcare services can continue to be provided to patients who are self-isolating at home. Virtual private networks (VPNs) are used to support telehealth services and provide secure access the network and patient data. Several vulnerabilities have been identified in VPNs which are being exploited by threat actors to gain access to corporate networks to steal sensitive data and deploy malware and ransomware. It is therefore essential