OCR Cybersecurity Newsletter

Each quarter the Department of Health and Human Services’ Office for Civil Rights issues a cybersecurity newsletter. The newsletter highlights cybersecurity trends affecting the healthcare industry. As the March 2022 OCR Cybersecurity Newsletter notes, the number of hacking and IT incidents affecting electronic protected health information (ePHI) has shot up, and rather quickly at that. In fact, there has been a 45% increase in the number of hacking or IT incidents reported in 2019 compared to 2020. In addition, of all breaches involving 500 or more individuals reported to OCR in 2020, ⅔ were due to hacking or IT incidents. 

The OCR Cybersecurity Newsletter for March of 2022 discusses preventative steps covered entities and business associates can take to protect against some of the common cyberattacks driving these numbers. Here are some newsletter highlights.

OCR Cybersecurity Newsletter: Because It Still Works

As the newsletter notes, most cyberattacks can be substantially mitigated or prevented altogether. This is if covered entities and business associates implement Security Rule requirements to address the most common cyberattacks. 

OCR singles out three common cyberattacks that can be mitigated or prevented:

  • Phishing
  • Exploitation of known vulnerabilities
  • Taking advantage of weak authentication protocols

Using any of these methods, an attacker can encrypt a provider’s or business associate’s PHI or ePHI. From there, the attacker can hold the information for ransom, dangle the threat of public release to blackmail someone, or use the information to commit identity theft. Attacks on PHI also can disrupt the provision of healthcare, as covered entities and businesses find their operations and resource flows slowed or stopped because of a cyberattack.

OCR Cybersecurity Newsletter: Phishing – Avoiding the Bottom Feeders

Phishing has been a favored cyberattacker tool since the early days of the Internet. The word “phishing” was created around 1996 by hackers who were stealing account and password information from Internet Service Provider (ISP) America Online users. While America Online, dial-up modems, and installation CDs have attained relic status, basic phishing techniques have remained the same. A cyberattacker sends an email to the intended victim; the message informs the victim that their email account has been compromised and that the user needs to respond immediately by clicking on a provided link. Clicking on the link sets the attack in motion.

Let’s Simplify Compliance

HIPAA and cybersecurity go hand-in-hand. Protect your business by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

Over the years, variations on this basic technique have developed as new methods of cyber-communication have been introduced. 

These variations have colorful names that belie their dangerousness.

Spear Phishing

Spear phishing is a type of phishing targeted and personalized to a specific individual, group, or organization, such as a hospital or hospital chain. Casinos often refer to high-wealth, high-rollers who keep coming back to the table as “whales” (Remember the first rule of gambling: The House Always Wins). The cyber-world has its own phishing version of such creatures, called whale phishing. Whale phishing typically targets CEOs, CFOS, and other top company executives. The cyberattacker attempts to lure in this larger prey by making an outsized threat. A whaling email might, for example, state that a company is facing dire legal consequences, which can only be abated by clicking on the link in the email. The organization can be financially harpooned if the whale takes the bait.

Smishing

Smishing is a type of at