Health Data Breach Tally Spikes; AMCA Breach Reports Added
Total Number of Individuals Affected by Breaches Reported in 2019 Triples
… Susan Lucci, senior privacy and security consultant at tw-Security, notes that statistics drawn from the HHS breach website can be foggy because of the way entities report their breaches to HHS.
“One thing I think is important, if we are to learn statistically from these events, is some clarification on the right category for covered entities to use when posting breach information,” she notes.
“For example, is an event that begins in email an email event, or is it unauthorized disclosure, or hacking? What about ransomware, where the intruders access a system through a fatal click, but then use hacking methodologies to further exploit the system? In other words, is the initiation of the data breach the ’cause’ of the breach, or is it the event itself? Some covered entities may be unsure of the correct category to choose.”
… Covered entities can take steps to push their business associates to improve their security postures, Lucci notes. That includes making sure that BAs “ensure that they are updating their compliance program in every area,” she says.
“When was the last time they updated their security risk analyses? If they aren’t reviewing policies, procedures and practices at least annually, they may find what they have in place is outdated and has not kept up with the organization’s growth and potential new systems.”
The surge in hacking incidents in the healthcare sector will continue unless strong action is taken, Lucci argues.
“Phishing emails could often introduce cybercriminal activity into a network that remains undetected for a long period of time,” she says. “This is why it is critical to ensure the workforce is aware of many common email subject lines that are being used. … Attention getters are ‘inbox over size limit,’ ‘survey request,’ ‘urgent,’ ‘follow-up,’ and ‘PTO balance exceeded’,” she says.
“Recently, we have seen survey requests that look authentic that appear to be sent from a corporate executive, so these specific types of examples should be shared,” she notes.