Cyber-awareness: New Education from OCR

The Office for Civil Rights (“OCR”) at the Department of Health and Human Services sent out an email on February 2, 2016 to announce the launch of a cyber-awareness for the healthcare industry. OCR recognizes the danger faced by healthcare from an array of bad actors and the need to spread information. As set forth in the email, OCR will highlight different threats and tools that may be available through monthly or periodic messages.

The February 2nd email, really for January 2016, addressed ransomware, “tech support” scams, and a new Better Business Bureau scam tracker. The email introduces the topics with some basic information and suggestions on actions to take.

On the topic of ransomware, OCR explained that it is malicious software that walls off data from access. The bad actors behind the attack then charge the victims a fee to “free” the data. However, in reality there is no guarantee that payment of the ransom will actually result in access being granted again. In bringing the discussion back to HIPAA, which is OCR’s realm, OCR suggested that covered entities and business associates need to be especially vigilant. Healthcare information is particularly sensitive and there is an obligation to ensure access. For example, OCR suggested that covered entities and business associates regularly backup data to minimize the harm from losing a portion of data, ensure that all software and viruses fighters are up to date, and otherwise implement browser and email protections. As G.I. Joe used to say, knowing is half the battle.

The second threat, tech support scams, is another risk similar to ransomware. In a tech support scam, the bad actor claims to be technical support and will talk a user into granting access to the user’s computer and in turn a connected system. Once trust is gained and access granted the game is over. It is important to not blindly trust others, especially when it comes to network systems. Unknown actors should not be allowed access or otherwise enabled to log into a system, ever. The greater number of touch points for computer support just creates more opportunities for this type of attack though. Additionally, the increasingly remote nature of tech support also makes users more susceptible because there is an expectation of outside support. In light of this reality, it is necessary to question someone who asks to access a computer before doing anything.

The third item in OCR’s email identified a new scam tracking resource from the Better Business Bureau. The tracker identifies scams and enables self-reporting and information sharing. In this instance, it is beneficial to collect information from a variety of actors. Anyone can report a scam, which makes it a true crowd-sourced resource. Being able to find out about scams in essentially real time provides a great benefit for many.

If OCR continues to produce similar monthly emails, it will represent a pretty good educational resource. Hopefully the emails will keep coming. Cybersecurity and relatedly cyber-awareness are certainly hot button topics and on the forefront on many minds. Taking a HIPAA based focus to the discussion is good for the healthcare industry. Hopefully, it can help dispel the myth (or truth) that healthcare is deficient and behind when it comes to security. As always, only time will tell.

Advertisements

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Health IT, HIPAA, HITECH and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s