Covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates must comply with the HIPAA Security Rule by developing security safeguards that protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.
Under the Security Rule, organizations must develop safeguards that protect ePHI from emergent or prevalent threats.
One such threat to HIPAA cyber security is known as an advanced persistent threat (APT).
What is an Advanced Persistent Threat?
An advanced persistent threat (APT) is a long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target’s information systems.
The attacks are launched to steal information, or to disrupt the activities of the organization that has been targeted.
An individual APT threat need not be (and often is not) technologically sophisticated. What ultimately makes an APT attack effective is the persistence with which it is conducted. In addition, APT attackers are adept at changing tactics to avoid detection. The frequency of the attacks, combined with the attackers’ ability to modify their methods, makes APTs a potent threat to HIPAA cyber security.
What Information is Targeted by APTs?
APTs typically are designed to target or steal the following kinds of ePHI:
- Medical research information
- Experimental treatment testing results
- Genetic data
These types of data contain significant financial value, as they all have importance in driving medical and other scientific innovation. As such, these types of data are particularly attractive to APT attackers.
Indeed, APT attackers’ desire for financial gain makes ANY electronic protected health information a tempting target. That information is used by both providers and insurers to provide and pay for, respectively, healthcare services for individuals. If your organization has not adopted HIPAA cyber security measures to protect this information, the information can be accessed by identity thieves. Identity thieves will not hesitate to exploit the information to commit financial fraud, including theft of health insurance coverage benefits.
As another way of obtaining money, APT attackers often engage in blackmail. If your organization lacks HIPAA cyber security measures, patients’ most private and personal details, which are contained in ePHI, are at risk of compromise. If the information becomes compromised and falls into the hands of an APT attacker, the attacker may blackmail individuals over their sensitive health information – by, for example, threatening to expose the fact an individual has a disease or medical condition – unless the individual pays off the cyber blackmailer.
APT attackers also may be motivated by political or ideological concerns, and may therefore steal information to disrupt or compromise the health and safety of people in a particular state or country, or people of a particular race or religion.
APTs have already been implicated in several cyber attacks on the healthcare sector in the U.S. and around the world. Effective HIPAA cyber security measures are required, therefore, to stop the attacks, and thus protect public health, public safety, and financial security.
Compliancy Group Simplifies HIPAA Compliance
Covered entities and business associates can address their HIPAA cyber security compliance obligations under the Security Rule by working with Compliancy Group.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA cyber security issues so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!
