By Justin Buren
Buren Insurance Group, Inc.
If you are a healthcare compliance officer, can you say with confidence that you really know what is going on around you? The ability to do so determines your effectiveness.
The reason is simple: The best defense against a cyberattack is prevention in every-day situations. Otherwise, you simply take your chances.
This past January, the U. S. Office for Civil Rights (OCR) issued a memo saying incidents of cyber extortion, in particular, are rising steadily, with cybercriminals typically demanding money to stop the theft of sensitive data or the disruption of computer networks.
Separately, a headline in USA Today, appearing in February, refers to cyberattacks as “warfare” – a notion suggesting that defensive tactics must constantly be in play. In military parlance, the term “situational awareness” means you know what’s going on around you so you can counter threats in real time as they are developing.
Health organizations are especially vulnerable, as private health information amounts to a gold mine for thieves. Think phony drug prescriptions or falsified insurance claims. Elevating the stakes even higher, the potential for rich black-market returns comes at the risk of human lives. Why else would respected health organizations pay ransom if not to protect vital health information that is essential, in many cases, for keeping people alive?
In its memo, the OCR offers guidance on how to prevent or respond to attacks (Fact Sheet: Ransomware and HIPAA). Some of the recommendations reinforce basic requirements of the Health Information Portability and Accountability Act (HIPAA), such as:
- Robust risk assessment and risk management;
- Staff training that ensures employees know how to identify suspicious emails and other signs of malicious activity;
- Effective use of proactive anti-malware solutions.
These are among the obviously necessary steps to take, and indeed, compliance with HIPAA rules amounts to a foundational level of needed security. At an optimal level, situational awareness implies the added protection of daily vigilance on the part of people who truly look out for threats as a matter of routine. The goal: Create a culture in which daily practices make it hard on thieves. Ask yourself questions such as these:
Do your employees really understand that they should not open an email attachment they are not expecting or do not recognize?
Do they really get it that if their computers are running unusually slow, they need to report that to their supervisors immediately?
Do they know that any unusual phone calls, of stranger requests for information, need to be reported?
By answering yes to questions such as these, you are affirming the right environment for preventing attacks. Just as in any other kind of warfare, success requires armed forces working in tandem. In healthcare, an armed force translates to informed employees and business associates who ward off threats as a matter of course — because they well trained on how to recognize potential risks, they know how to stave them off, and their instincts have been honed to the point that they know when to leap into action to safeguard precious health information necessary to human well-being.
In sum, daily vigilance is about a mindset that penetrates an entire organization. It’s about everybody being on the lookout — all the time.