The US Department of Health and Human Services Office for Civil Rights July #Cybersecurity update reminds you to train your workforce so they don't get caught by a phish! This statement is specifically targeted to healthcare "covered entities" but really applies to all businesses and computer users.
What is a Phish? Phishing scams are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers. The emails are carefully crafted to look like the real thing, but watch out! Users are trained to not open "suspicious" links, but what if the email looks like an important email from FedEx, your bank, or the US Post Office? Without training, users can't tell the difference.
Periodically testing users is also needed to make sure that the training is working. Will your users click on the link? Run a test and find out. Otherwise, you really don't know.
A covered entity's workforce is its front line of defense not only for patient care but also to safeguard the privacy and security of its patients protected health information (PHI). With the growing levels of interconnected smart devices and increased use of interconnected medical record and billing systems, there has been a ten percent increase in the number of providers and health plans that have had HIPAA related security violations in the past two years.
The security rule specifically requires covered entities and business associates to create a security awareness and training program.
You can read the full post by OCR here.
Not a healthcare organization? Read on. The Massachusetts Data Security Law which applies to ALL businesses in Massachusetts has very similar guidelines relating to the protection of personal identifiable information (PII). Any combination of a name and social security number, drivers license number, bank account number, credit card number, etc MUST be protected.
If you're concerned about cybersecurity in your practice or business, please contact us to find if you could be doing more to protect yourself. Short of disconnecting all computing devices, these threats are here to stay, and employee education and training are a key component of cybersecurity protection for all.
Cybersecurity protection involves layers of protection AND a comprehensive training plan for users.