Many cyberattacks succeed due to mistakes by employees and a lack of awareness of basic aspects of cybersecurity. According to the 2022 Verizon Data Breach Investigations Report, 82% of data breaches in 2021 involved the human element. Improving security awareness of the workforce by focusing on key behaviors will go a long way toward improving security and preventing data breaches.
Security awareness training is a requirement for compliance with the HIPAA Security Rule. The administrative safeguards of the HIPAA Security Rule require all HIPAA-regulated entities to train workforce members on internal security policies and procedures, with the 45 CFR § 164.308 (a)(5)(i) standard requiring “a security awareness and training program for all members of its workforce (including management).”
HIPAA-regulated entities should adopt a risk-based approach when developing training courses and should teach cybersecurity basics and focus on the most important behaviors that can reduce risk. The HHS’ Office for Civil Rights (OCR) has issued guidance on aspects of cybersecurity to include in security awareness training programs and raises awareness of important themes in its quarterly cybersecurity newsletters.
“The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” explained OCR in its Q1, 2022 cybersecurity newsletter. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond.” OCR also stressed the need for training to be provided to all members of the workforce, which includes management personnel and senior executives.
Training should be followed up with regular security reminders that are an addressable specification of the HIPAA Security Rule. OCR suggests security reminders can include cybersecurity newsletters, but also phishing simulations to members of the workforce to gauge the effectiveness of the security awareness and training program, and to provide additional, targeted training to employees who are fooled by the simulations.
Multifactor authentication is an effective additional safeguard for improving access controls to prevent stolen credentials from being used to access accounts. Brute force attacks often succeed due to employees setting weak passwords or reusing passwords on multiple accounts. HIPAA-regulated entities should enforce their password policies, but also make compliance with those policies easier for employees by supplying a business password manager. Password managers can suggest truly random, complex passwords, and greatly improve password security and management.
It is easy to focus on technical defenses for protecting ePHI and preventing unauthorized access, but the importance of training cannot be overstated. Wilson Consulting Group will help your company ensure that all employees are aware of key behaviors and that practicing good cyber hygiene will go a long way toward improving the cybersecurity posture of the entire organization.
On May 7, 2021, Colonial Pipeline, Co. was forced to close operations after a ransomware hack was confirmed to have breached their systems. This attack hindered services to the East-coast of the United States and sparked fears of a massive gas shortage to American motorists. This hack greatly compromised Colonial Pipeline’s system integrity and put private data at risk.
5G is a wireless technology with higher speeds and increased bandwidth, which means that you can download/stream videos online at a faster rate without worrying much about the number of users on the network. 5G networks also help reduce the time needed for data to travel across the network. This process is called latency, which is a major factor in automated processes, such as self-driving cars and factory robots. Due to the massive connectivity of devices collectively known as the Internet of Things (IoT) across 5G networks, viable and in-depth security measures should be in place to prevent cybercriminals from hijacking the connected devices or launching Distributed Denial of Service (DDoS) attacks.
When hackers breach a database, they take advantage of weak or stolen passwords 81% of the time. This is what led Troy Hunt to publish a new version Pwned Passwords where people can verify if the password they typed in has been leaked in a previous data breach. The intention is there: businesses are not supposed to let their customers (or employees) use compromised passwords, especially those written in plain text. This begs the question: are passwords enough to secure companies when an actual breach happens?
Stay In The Know With Our Newsletter
