By Renee Cocchi

Although cyberattacks and other forms of computer hacking, such as malware and ransomware, have been the most recognized forms of data breaches to-date, one of the most common HIPAA violations is actually something called social engineering. In this guest post, Perry Price, president/CEO and founder of a company that delivers secure, compliant unified communications via its cloud platform, explains what social engineering is and why it’s a threat.

As the number of data breaches continues to rise, cyberattacks have quickly become a hot topic. Although the primary concern surrounding these attacks tends to come from previous experiences with credit card breaches at major retail stores, there’s a growing concern around the risk of confidential information being exposed in other settings such as hospitals and physician offices.

Of course, security and HIPAA compliance are top concerns for providers looking to adopt cloud-based telehealth practices, which can be used to reach more patients with better care. But while health organizations frequently think that HIPAA violations and security breaches usually start with technology, it isn’t always the first access point.

Overlooked Threat

Social engineering is actually one of the most common HIPAA violations.

Social engineering occurs when cybercriminals convince healthcare employees to provide confidential information about their patients under false pretenses. Stuart Gerson, a lawyer who represents companies involved in healthcare data breaches, has noted that “the majority of breaches have to do with human failure” — a threat often overlooked by providers solely focused on the security of their cloud or communication solutions.

Even with increasingly secure systems designed to protect patient information against the latest cybersecurity threats, cases of social engineering continue to evolve as a major path for hackers to circumvent the system, making human error one of the most common HIPAA violations today.

Manipulate Insiders

Why are these social engineering methods seeing such success in mitigating the effect of cybersecurity in health care?

Hackers are able to manipulate trusted insiders of a system in order to gain access to confidential information that would otherwise be protected.

Consider this: A call center agent working in a hospital receives a call from a hacker who’s claiming to be a representative at a financial firm where the agent holds a personal retirement account. The caller then tells the agent that he must download a special type of software in order to secure his data. Worried about protecting his financial data, the call center agent downloads the software onto his work computer to quickly take care of the issue. However, while the agent loads this software, he unknowingly gives the hacker access to his computer, which also hands over the private health information of thousands of patients.

The method described above has become a popular way to hack into healthcare database systems, as it’s easier for hackers to manipulate an employee to (unknowingly) provide direct access to the sought-after data than to circumvent today’s increasingly secure telehealth solutions.

This scenario demonstrates one of the most common ways in which social engineering can result in a HIPAA violation. It also reveals why healthcare organizations need to take numerous steps, beyond simply implementing secure solutions, to safeguard their patients’ account information.

Safeguard Against Human HIPAA Violation

The two main types of safeguards that healthcare organizations can implement to minimize these types of HIPAA violations are administrative support and employee training.

Since social engineering plays a prominent role in hackers’ access to data, administrative safeguards are the most critical type of solution for hospitals to consider from an employee access perspective.

As defined by the Office of Civil Rights (OCR), administrative safeguards are “the office rules and procedures that help protect against a breach.” A prime example would be the implementation of policies that determine each employee’s access level to patient documents and information, as well as the role each employee plays in the protection of that information.

Since employee access is the root of social engineering’s success, it’s also important that healthcare systems properly train all employees about these hacking tactics, especially those who have access to any type of personal health information. This type of training can range from holding monthly staff meetings to sending tips via email about how to identify potentially harmful situations.

Additionally, while healthcare organizations should go beyond just implementing secure solutions, it remains important for executives to consider the type of communication solutions they’re using as a starting point, since some of these safeguarding concerns can be addressed through the technology as well. For example, implementing communications solutions that can provide information about incoming calls, as well as externally encrypt each conversation as it unfolds — regardless of the media type — can help assist hospitals in their effort to safeguard against human error.

As providers look ahead to the future of healthcare, it’s apparent that more steps need to be taken in order to protect digitized health information. However, by employing safeguards like administrative support and employee training, as well as the use of secure communications solutions, hospital employees are notably less susceptible to the most common HIPAA violation today — their own human error.