October OCR cybersecurity newsletter warns of social engineering attacks

The latest cybersecurity newsletter from the Office for Civil Rights (OCR) has a clear message for healthcare organizations: social engineering attacks are on the rise, and people—not software—are often the weak link.

What happened

OCR’s October newsletter points to a major issue in cybersecurity: human error. According to the 2024 Verizon Data Breach Investigations Report, two-thirds of breaches now stem from human factors. Phishing is the top tactic, with cybercriminals using emails, texts, and calls to get healthcare employees to hand over sensitive data.

Going deeper

OCR indicates the need for more employee training to combat these tactics. The newsletter suggests:

• Spotting red flags: Training staff to identify suspicious messages.
• Mock phishing tests: Giving employees practice in recognizing scams.
• Reporting suspicious activity: Clear steps for staff to follow if they suspect a threat.

HIPAA compliance also has a part in reinforcing these defenses.

What was said

OCR officials stated, “When it comes to cybersecurity, the concept of ‘trust no one’ applies universally. Attackers increasingly impersonate loved ones and business partners, convincing individuals to take actions or disclose details they wouldn’t ordinarily consider. Educating workforce members on these attacks equips them to recognize and potentially prevent social engineering incidents. This awareness is critical for both personal security and workplace safety, especially as work is conducted across laptops, smartphones, and remote environments.”

Why it matters

Social engineering attacks put patient data—and the reputation of healthcare organizations—at risk. The OCR’s newsletter reiterates the necessity of staying vigilant, training staff, and having clear procedures in place to respond to potential threats.

FAQs

What is cybersecurity and how does it relate to healthcare security? 

Cybersecurity involves protecting computer systems, networks, and data from digital attacks, unauthorized access, and damage. In healthcare, it is necessary to safeguard protected health information (PHI) and electronic protected health information (ePHI). Effective measures help keep sensitive patient data confidential, secure, and compliant with HIPAA regulations.

Why is cybersecurity important for HIPAA compliance in healthcare settings?

Cybersecurity is beneficial for HIPAA compliance because it helps protect PHI from breaches and unauthorized access, which are central to maintaining patient privacy and confidentiality. By implementing strong cybersecurity practices, healthcare organizations can prevent data breaches, avoid significant fines, and ensure that they meet HIPAA’s security and privacy requirements.

What are the potential risks associated with inadequate cybersecurity under HIPAA?

• Data breaches: Unauthorized access to ePHI, leading to exposure of sensitive patient information and violation of HIPAA regulations.
• Non-compliance penalties: Significant fines and legal consequences for failing to implement sufficient security measures as required by HIPAA.
• Financial losses: Costs related to breach remediation, legal fees, and potential settlements with affected individuals.
• Reputational damage: Loss of trust from patients, partners, and the public due to the organization’s failure to protect sensitive health information.
• Operational disruptions: Interruptions to healthcare services and administrative functions caused by cyberattacks or compromised data security.