Healthcare cybersecurity visual illustrating HIPAA-driven security requirements and the need to control software execution before risky code is allowed to run

5 HIPAA Cybersecurity Requirements for CISOs

/in , /by

HIPAA Compliance Pays Off

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established privacy standards in the U.S. to protect sensitive data, from your social security number to the exact date and time of your tonsillectomy. Today, lawmakers have developed new HIPAA cybersecurity requirements to protect patients from the ongoing threat of cyberattacks and curb the steep rise in information theft — and non-compliance comes with a hefty price tag.

What CISOs Need to Know about HIPAA Cybersecurity Requirements

A record-setting 1,862 data breaches were reported worldwide last year, up 68% from the previous year. So it’s no wonder companies are being held accountable for the data they collect and store. HIPAA compliance requires hospitals and healthcare organizations to adhere to a handful of different rules to protect sensitive patient information.

1. Privacy

Patients have the right to keep their protected health information (PHI) private. PHI can encompass a variety of information on sensitive topics like diagnoses, appointments, and procedures.

2. Security

Organizations must secure PHI from unauthorized use and distribution. Think insurance information, names, addresses, and the like.

3. Enforcement

Entities protecting PHI must enforce security protocols at all times and initiate investigations in the event of a data breach. The best way to demonstrate this is to create and follow data protection protocols — and keep impeccable records in the event of an attack.

4. Breach Notification

Entities must inform appropriate local and national authorities should a breach occur. Data breach reports must note who contacted whom and what information was shared.

5. Omnibus

The Omnibus Rule updated HIPAA with cybersecurity in mind (thanks to the HITECH Act). The rule clearly states that organizations are liable for their compliance with HIPAA (more below).

How to Meet HIPAA Compliance Requirements

With the addition of the HITECH Act to HIPAA, healthcare organizations need to be much more vigilant about maintaining their HIPAA compliance. There are several ways healthcare cybersecurity professionals can stay on top of meeting HIPAA requirements.

Compile a Comprehensive Risk Assessment

It pays to be prepared. Get started by combing through your company’s data collection, processing, and storage methods with your IT team to identify risk factors and exploitable gaps. Use the Office of Civil Rights (OCR) Audit Protocol designed for HIPAA compliance as your road map.

Address Risk Factors, and Amend Compliance Gaps

Having completed an audit, prioritize meeting HIPAA’s compliance criteria. Keep updated records on the measures you’re taking and the lengths you’re going to for improvement. In the event of a future cybersecurity breach, you may need to prove in writing that you made every effort possible to protect your data.

Once Everything is in Order, Develop a Process to Keep it That Way

Automated reporting will alert you to any deviations in compliance. Schedule regular training sessions with employees to keep everyone in the know about the latest requirements. Make it a habit to look for ways to improve your defenses, whether that means overhauling your process or just trying out new software. Stagnation is your enemy.

HIPAA Violations Levy Heavy Penalties

We know protecting your clients’ information is motivation enough to take cybersecurity seriously, but take a moment to consider how a data breach will affect your organization’s bottom line, especially if you’re out of compliance. Violations are broken down into tiers and, depending on how many records are at risk, the costs are staggering.

Below is a summary of what it could cost a business per record affected if found non-compliant.

Tier 1 Violation — Lack of Knowledge

An entity is reasonably HIPAA compliant. However, it was unaware of the violation and could not have easily avoided it.

Penalty: $100 – $50,000 per record

Tier 2 Violation — Reasonable Cause

An entity is not quite considered neglectful of HIPAA compliance.

Penalty: $1,000 – $50,000 per record

 

Tier 3 — Willful Neglect

An entity is found neglectful of HIPAA compliance; however, it corrects the violations within a stated time period.

Penalty: $10,000 – $50,000 per record.

 

Tier 4 — Willful Neglect (Not Corrected)

An entity is neglectful of HIPAA compliance and does not correct its violations.

Penalty: $50,000 per record, up to an annual maximum of $1.5 million.

Get to Work

Follow cutting-edge cybersecurity best practices to prevent data breaches and prepare for the worst-case scenarios. Not only does protecting your data pay off in reputation and preserve trust from your customers — it saves a bundle in legal expenses. If all of that has you sweating, make sure your organization is prepared with cyberattack simulations and cyber wargames to gain some peace of mind.

Want more information on healthcare cybersecurity? Check out these other helpful resources:

Financial services risk illustration highlighting why banks should move beyond 2FA and enforce Zero Trust controls over software execution

Post-Pandemic Banks Should Be Ready to Dump Two-Factor Authentication

/in , /by

What’s the Next Best Cybersecurity Innovation For Banks?

Use of TFA (two-factor authentication) goes back to the 1980s, when a key fob generated a numerical code for users to append to their passwords. The evolution of this method worked well for the better part of four decades — outlasting other ’80s innovations like two-pound cellular phones and Members Only jackets — but it’s past time to change the locks on digital defenses, particularly for banks.

This is not to say that all 2FAs are useless — and, since banks are required to use 2FA technology, we’re not suggesting they go completely rogue. The idea behind 2FA isn’t bad — the problem is in its execution. As there’s no digital leash tying the authenticator to the device, hardware tokens are still a viable way to protect access to critical data and systems. The problem is that many 2FAs aren’t using hardware. Even using an authentication app on a phone creates potential avenues for vulnerability, from email phishing to flaws in software features.

Cybersecurity has become too complex since the days of Walkmans and leg warmers for a security system to run on a “set it and forget it” mentality. Constant innovation is a must. The hard truth is SMS-based 2FAs are increasingly easier to hack, leaving millions of bank accounts vulnerable to cybercriminals waiting to pluck their PII — personally identifiable information.

Post-Pandemic Banks CodeHunter | Blog | Should Be Ready to Dump Two-Factor Authentication

The Nokia 2021 Threat Intelligence Report notes the increased risk of banking malware threats. Cyber criminals often start with a trojan to snatch one-time passwords with captured keystrokes or overlaying bank login screens. From there, they let themselves into the victim’s mobile bank account. These kinds of malware attacks have been most successful on Android devices because of their open-source code and ubiquity. That’s not to say that Apple’s iOS is fundamentally more secure — if there’s a weakness in any OS, persistent black hats will find it.

Even if a bank account owner is vigilant — protective software, regular OS updates, and a keen eye for phishing emails — there’s the matter of information in transit. Cybercriminals exploited a weakness in Signalling System No. 7 (also known as SS7), a telephony signaling language that allows text messages and phone calls to travel across the globe uninterrupted. Using SS7 to redirect text messages containing one-time passwords from their banks in order to access the accounts, hackers were able to bypass mobile bank 2FAs meant to protect users against unauthorized withdrawals. They then used mobile transaction authentication numbers (mTANs) to drain them. It’s shockingly easy to steal money these days.

While 2FA has its benefits — and it’s certainly better than no protection at all — the inherent problem is that it adds layers of security that can be circumvented once a device is compromised. Banks are under pressure to replace 2FAs with other methods such as adaptive authentication. This method evaluates a user’s login attempt and assigns a risk score based on the device, its location, the user’s role, or any other parameters security personnel set. If the attempt is considered medium risk, the user might be asked to verify certain credentials. If considered high risk, their access can be blocked. Because this process requires machine learning, its algorithms are never static; each user’s behavior, location, IP address, and more are monitored and recorded to proactively detect fraudulent access before it even shows up at the door.

Protecting the assets of a bank’s account holders should be a financial institution’s top priority, and in today’s digital frontier, that means staying multiple steps ahead of cybercriminals.