Employee Training Can Prevent Attacks and Punishing Employees for HIPAA Violations Can Prevent Penalties
Ransomware accounted for more than 1 in 10 healthcare data breaches reported to the government during the last three years, according to analysis by Bloomberg Law. Cybercriminals capitalize on lack of employee training by sending emails with malicious attachments to gain access to healthcare providers’ and business partners’ networks. With this access, the ransomware typically encrypts all of the data within the organization’s network that cannot be recovered until the ransom is paid for the decryption key.
Guidance from the HHS Office of Civil Rights (“OCR”) makes it clear that a ransomware attack usually results in a breach under the Health Insurance Portability and Accountability Act (“HIPAA”) that requires compliance with costly notification rules.
Training employees to be highly suspicious of attachments and unknown hyperlinks is key to preventing these phishing attacks. Employers should educate employees on how to spot emails that attempt to masquerade as legitimate emails from co-workers and business contacts but often contain a number of these tells:
- The email address is not associated with the business’s website (e.g., “hollandhart@online.com” rather than “webalert@hollandhart.com”).
- The email is sent with high importance.
- The link in the email isn’t actually a real URL. Place your pointer over the link—without clicking!—and compare the URL in the pop-up window to the link. If they don’t match, don’t click.
- The email contains criminally bad spelling and punctuation errors.
Punishing employees who violate HIPAA can decrease the possibility of OCR imposing a penalty, according to Bloomberg Law’s research. Nearly 1 in 6 of the breaches in 2016 and 2017 reported to OCR did not result in a penalty or resolution agreement because the organization had already punished employees for HIPAA violations.
For more information about how to respond to a ransomware attack in compliance with OCR’s guidance on ransomware, visit this article.
For questions regarding this update, please contact:
Claire Rosston
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: ccrosston@hollandhart.com, phone: 208.383.3960
This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author(s). This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.