No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Are Health Care Organizations Protecting Data as Well as They Think?

by Gretel Egan
July 10, 2018
in Data Privacy, Featured
doctor working on tablet

8 Tips to Strengthen Your Data Security Practices

The more often data is handled, the greater the risk of a compliance failure, and some of the most sensitive data is entrusted to an industry that struggles to protect it sufficiently. In this article, Gretel Egan of Wombat Security, a division of Proofpoint, shares what health care organizations can do to address information security challenges.

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) set forth legal requirements related to privacy and security safeguards for certain pieces of medical data. Now, more than 20 years later, health care organizations seemingly feel confident in their ability to execute against HIPAA mandates, according to the findings of a recent Ponemon Institute and Globalscape study. The researchers asked compliance professionals to rate the difficulty and importance of several data security regulations, and fewer than 50 percent of respondents classified HIPAA as being “difficult or very difficult to achieve compliance.” In fact, HIPAA was only the fourth most difficult regulation in these compliance professionals’ eyes, ranking behind the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS) and U.S. state laws.

Despite this perception, it’s clear (if only from the growing list of cases under investigation by the U.S. Department of Health and Human Services Office for Civil Rights) that protected health information (PHI) is breached on the regular. And while hacking is a prominent source of these breaches, IT incidents like phishing attacks and malware/ransomware infections are also frequent causes of data compromise, as are actions like unauthorized disclosure, theft and loss. This means that health care workers’ behaviors are often at the root of a breach — and to make matters worse, these workers are also frequently targeted by cybercriminals. This is a perfect storm for organizations that are not training staff about cybersecurity best practices.

How Cyber Savvy Are Health Care Workers?

A recent report from security awareness and training provider Wombat Security, a division of Proofpoint, analyzed end-user responses to nearly 85 million cybersecurity assessment and training questions across 12 different topic categories and 16 different industries. End users in the health care industry answered 23 percent of questions incorrectly across all categories, making health care one of the four worst-performing industries analyzed. More concerning than this, however, is that these respondents struggled most with questions related to data protections. Health care workers incorrectly answered 26 percent of questions in the Protecting Confidential Information category (a topic that includes queries about HIPAA-mandated safeguards for PHI), and they missed 28 percent of questions in the Protecting and Disposing of Data Securely category, which covers techniques for properly managing data throughout its lifecycle.

This is particularly alarming considering that as end users in the health care industry continue to collect, store and share patient data, the risk of compliance failure continues to grow.

Within a typical health care setting, there is a hybrid environment where both electronic and hard-copy records are available. For electronic medical records (EMRs), it is critical for every end user in a health care setting to be properly trained in all areas of electronic data protections and to be well-versed in how to spot and avoid phishing attacks. According to a study by the American Medical Association (AMA) and Accenture, 83 percent of U.S. physicians have experienced some form of cyberattack, with phishing as the most common vector (55 percent). Additionally, more than half (55 percent) of physicians polled said they are concerned about future attacks.

But while anti-phishing education is clearly needed within the health care space, security awareness training programs that focus solely on email will not teach users all the ways PHI can be compromised, particularly given the health care industry’s continued reliance on paper and films. Health care organizations must stress proper handling, storage and disposal techniques for physical pieces of PHI, as well as electronic files. In addition, they should train employees that lapses in physical security — like losing a computer or leaving a secure door unlocked — can ultimately lead to a cybersecurity compromise, like theft of EMRs or installation of malware on an internal device or network.

End Users Can Be a Tough Nut to Crack

Workers in the health care industry are given access to some of the most sensitive data about individuals, and this elevates the need for effective security awareness and training programs across nearly all roles and responsibilities. Organizations and individual employees alike need to ensure PHI is properly handled and secured.

It’s important for infosec teams not to underestimate the influence that employees can have on data security — and, by extension, on the “ease” of achieving HIPAA compliance. They should also recognize that occasional communications about cybersecurity will not be enough to bring about measurable behavior change. An ongoing, employee-centered education program is the best way to move the dial.

That said, there are a few key tips that you can share with employees in the health care industry (and, in fact, any industry) to help raise awareness in the short term:

  1. Follow approval policies related to the transfer of sensitive data and invoice payments. Cybercriminals often impersonate trusted colleagues and vendors via email-based phishing attacks and voice phishing (aka, vishing) phone calls. It’s critical that staff members verify (and receive approval for) these requests prior to acting on them.
  2. Be proactive about protecting PHI and learning about the implications of noncompliance with any regional and/or national mandates.
  3. Verify the validity of links, attachments and requests for credential submissions (e.g., password resets or account confirmations) that arrive via email. Staff should be instructed to confirm via trusted phone numbers, known web addresses or other legitimate sources before acting on instructions within an unsolicited email.
  4. Keep software up to date (including anti-virus, web browsers, desktop/mobile operating systems and any proprietary systems). Act quickly to patch or remediate any known vulnerabilities.
  5. Back up files and data to a secure location daily (or even hourly), if possible.
  6. Lock (and password-protect) computers and electronic systems when not in use.
  7. Never leave physical files and forms unattended. Keep filing systems and secure areas locked when not in use, and only grant access to “need to know” individuals.
  8. Minimize (or eliminate) the transport of sensitive data outside of the health care setting. Loss and theft are common sources of data breaches, so the less often data is on the move, the better. When possible, staff should complete paperwork within their job setting and avoid taking sensitive electronic or physical files home with them.

Tags: CybercrimeGDPRHIPAARansomware
Previous Post

Moving From Reports to Analytics, Part 2

Next Post

MetricStream Research Reveals Top Priorities for Internal Audit in 2018

Gretel Egan

Gretel Egan

Gretel Egan is Brand Communications Manager for Wombat Security, a division of Proofpoint and the leading provider of cybersecurity awareness training software that helps organizations educate employees. She has extensive experience in researching and developing cybersecurity education content and was named one of the "10 Security Bloggers to Follow" by IDG Enterprise.

Related Posts

matrix numbers cybersecurity concept

Why Scalable Global Frameworks Like ISO 27001 Matter

by Sam Peters
May 29, 2025

Updated security standard addresses modern threats with expanded digital protections

virginia state flag

Are You Ready for Virginia’s Sweeping Reproductive Health Privacy Law?

by Meghan O’Connor
April 29, 2025

Broadly defined ‘reproductive and sexual health information’ may affect any company doing business in the state

robot hand pointing to sky

Agentic AI Can Be Force Multiplier — for Criminals, Too

by Steve Durbin
April 21, 2025

How polymorphic malware and synthetic identities are creating unprecedented attack vectors

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

Next Post
businessman looking at document through magnifying glass

MetricStream Research Reveals Top Priorities for Internal Audit in 2018

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights