HIPAA covered entities saw an 85.71% month-over-month in reported breaches as of June.

HIPAA covered entities saw an 85.71% month-over-month in reported breaches as of June 2020 year which equates to about 1 million patient records a month.

3 Biggest Breaches

The 3 biggest breaches in June were recorded at a Texas billing and collections agency, BRS Inc | Merit Health & | Magellan Healthcare [FL] which accounted for 400,000 records. The most common type of breach was recorded through email attacks with 63.46% of the breaches involving ePHI stored in emails and attachments and the balance being hacked from network storage. These attacks on data privacy all leads us back to causation of these incidents and most others in HIPAA / GDPR covered entities, namely phishing and malware (mostly ransomware) downloads.

Hacking

Hacking is a self-perpetuating pursuit as the rewards fund drugs cartel like growth in cyber-criminal circles while the end user can’t recognize the threat posed by their product, which in this case is fraudulent emails. To date the most effective defense is awareness training supported by proactive security, compliance personnel & executives who watch the trends and action intelligence from the user base and online sources.

How to Respond!

It’s important for all medical organizations to train their staff in the risks of phishing particularly in a less repetitive fashion. In a recent article feature in the Harvard Business Review entitled “Boost Your Resistance to Phishing Attacks“, two academic researchers propose a multi-stage psychological approach to training with the objective of having staff take a breath, so “if an email requests action; consider the nature, timing, purpose, and appropriateness of the request; and consult a third party about any suspicions”, this, approach they call mindfulness. They go on to discuss team dynamics and the better approach of having a constancy in training with smaller team training exercises and even tying in bonuses to security awareness. The researchers also talk about ‘gamifying’ training which of course would require a more advanced approach. I recommend the read for those of you, ready to tackle privacy and security training in the ubiquitous face of hackers and ransomware.

The full breach report for June can be found here on the HIPAA Journal website.

Stay Tuned for Future Posts by following the Author on Linkedin

While your here, why not visit our consulting services page to see how we can help transform your data privacy program by clicking the link below!