The healthcare sector in the United States faces escalating data security challenges due to the increased activity of cybercriminals – particularly since the beginning of the COVID-19 pandemic. Consequently, it may be necessary to commit more resources to ensuring staff are provided with sufficient training in relation to their obligations under the Healthcare Insurance Portability and Accountability Act (HIPAA).
If your organization is not currently implementing a robust HIPAA training process for new and current members of your team that includes security awareness training, the likelihood is you will not be reducing risks to ePHI to a reasonable and acceptable level and cyber threat actors will find attacks easier. A failure to reduce risks to a reasonable and acceptable level will also expose you to sanctions from HHS’ Office for Civil Rights.
If this is not enough to prompt your healthcare organization to take HIPAA training seriously, we have compiled five more reasons that may make you reconsider.
1. 2020 was the Worst Year on Record for Data Privacy Breaches
Sadly, this is a continuation of the trend that have been developing over the last few years. In 2020, 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR). These breaches impacted 28,756,445 individuals.
This increase is clearly depicted in the chart below. The steep increase in the last two years is very noticeable. Hackers have doubled-down on their efforts during 2020 as the majority of the world’s office workforce moved to working remotely due to the COVID-19 pandemic. This resulted in serious weaknesses in the cybersecurity measures of many companies and organizations, many of which are still to be adequately addressed. Simple measures like providing HIPAA and security awareness training sessions online can go a long way toward keeping your company safe from the tactics of cybercriminals, phishers, and hackers.
2. Small- to Medium-Sized Practices are Popular Targets for Cybercriminals
2020 also witnessed a sharp increase in the number of attacks targeted at small- to medium-sized healthcare organizations. Ransomware response firm Coveware captured data during the third quarter of the year which indicated that more than two thirds of attacks were targeted at organizations with fewer than 1,000 employees. 65.9% of ransomware attacks launched during Q4 were focused on infiltrating the networks of small (30.2%) and medium (35.7%) sized companies. See the graph below for more detail.
The ransomware strains that are targeting small- to medium-sized organizations include Dharma, Snitch, and Netwalker ransomware. The attraction of attacking smaller organizations is they tend not to have strong cybersecurity defenses in place, despite holding large amounts of sensitive data in their systems. Due to this, the potential for ransomware gangs to make an easy and quick profit is much higher.
3. HIPAA Compliance Efforts are Taken into Account Following HIPAA Breaches
When a data breach does occur, the subsequent investigation conducted by the HHS’ Office for Civil Rights will take every aspect of the breach into account, including the efforts made to prevent a data breach from occurring. HIPAA breaches attributable to user error are less likely to result in a large financial penalty if it can be demonstrated employees were provided with the appropriate HIPAA training during onboarding and also underwent annual refresher training sessions.
This is true no matter how big or small your organization may be. During a HIPAA audit, the absence of an adequate training program will be viewed just as seriously as the absence of appropriate cybersecurity software or the sharing of passwords between multiple employees. Providing training is one of the easiest and most straightforward ways to try and prevent a HIPAA breach from occurring. There is little or no technical knowledge required and by using an external vendor you can supply the training direct to your staff no matter where they are based.
4. Undoing Brand Damage Caused by a HIPAA Breach is Difficult
In the unfortunate event of a cyberattack, data breach, or HIPAA violation, the reputation of the organization can suffer greatly. Online coverage of the breach will be one of the first things seen when an Internet search for the company is conducted. This can take years of subsequent positive news and website content to replace. In addition to this, negative comments on online review portals, social media networks, and video content will be extremely tricky to address. For this reason, it is in your organization’s best interest to do everything possible to prevent a HIPAA breach from occurring.
Ensuring you have the best trained staff at your disposal is a crucial part of this as is conducting ongoing HIPAA refresher courses and security awareness training. This is important as the HIPAA investigation into the breach will show you have done everything possible to prevent a breach from happening. This is something that can then be publicized to turn a potential bad news story into a positive news story and selling point for your services.
5. Data Privacy Legislation Requirements Around the World are Increasing
It is predicted that data privacy legislation is only going in one direction. A report produced by Gartner in 2020 estimated that approximately 65% of the world is currently governed by some level of data privacy legislation. This creates a challenge that extends beyond operating in the US healthcare sector.
By ensuring that your organization is HIPAA compliant you will already be taking a large step toward ensuring it is compliant with pending privacy and security legislation at the state level, as well as many other data privacy laws around the globe. This is particularly important if you are in a position where you are consulting with medical experts in a different jurisdiction, providing healthcare services across multiple states, or are sharing private data with a patient who is based overseas or on vacation.
In order for your organization to remain safe from HIPAA breaches, and avoid potentially massive HIPAA penalties and reputation damage, it is vital for your organization to implement an appropriate regime of HIPAA and security awareness training for new recruits and the existing staff. If you would like to preview the HIPAA training offered by ComplianceJunction please complete the form below.