HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Launches New Cyber-Awareness Initiative

The New Year has already seen the Department of Health and Human Services’ Office for Civil Rights issue new guidance for HIPAA-covered entities. That has now been followed up with the launch of a new initiative to improve cyber-awareness of the latest security threats. By increasing awareness of the threats to healthcare data security it is hoped that many healthcare data breaches can be avoided.

As was highlighted by the recent Online Trust Alliance security report, the majority of healthcare data breaches can be easily avoided by implementing basic security principles, such as educating staff members on the latest data security threats.

OCR has kicked off the initiative with advice on two growing security threats: Ransomware and tech support scams, both of which are increasing in prevalence over the past 12 months.

OCR Offers Advice to Assist HIPAA-Covered Entities Avoid Ransomware


Criminal gangs have been using ransomware with increasing regularity. Ransomware is a form of malware that locks computer files with encryption, preventing the user from gaining access to their data. A security key must be used to decrypt locked data. That security key is held by the attackers, and is only released when a ransom is paid.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Ransomware is spread by a number of different vectors, and while email attachments have been the preferred method of delivery, they are not the only method of ransomware delivery. Ransomware can be installed via MMS text messages, botnets, malvertising, hijacked websites, and malicious websites containing exploit kits. The latter are capable of performing drive-by attacks that require no user interaction to download the malicious software. All that is required is for a user to be fooled into clicking on a malicious link. If their device has a security flaw that can be exploited – An out-of-date version of Macromedia Flash for example – the ransomware can be installed.

The FBI has already issued warnings about the rise in use of ransomware by criminal gangs, and while healthcare organizations are not believed to have been extensively targeted to date, there is a very real risk of attack.

OCR has recommended performing regular backups of data on external devices to ensure that critical data can be restored.

Exploit kits take advantage of zero-day security vulnerabilities in web browsers, so it is vital that patches are installed promptly. Keeping anti-virus and anti-malware definitions up to date is also essential.

Malvertising poses a considerable risk. This involves the placing of malicious adverts in third-party advertising networks, which direct visitors to sites where drive-by attacks can take place. A number of large websites have already been found to have displayed these malicious adverts, albeit inadvertently. Yahoo and AOL for example. To reduce risk, popup blockers and ad-blocking software can be installed.

Warning Issued on “Tech Support” Scams


Cybercriminals are using a variety of social engineering techniques to get business users to reveal sensitive information that can be subsequently used to launch a cyberattack. One of the most common – and most effective – ways of doing this is with a telephone, email scam, or website pop-up which advises of a malware infection.

The scam involves a member of tech support offering to clear the infection. This involves the downloading of a software program that it is claimed will remove the malware. There is of course no malware infection. The “software” users are convinced to download is malware.

Users are advised not to provide login credentials to any individual, not to install any software program unless requested to do so by an internal IT department, never to trust unsolicited phone calls, or give remote access to any individual unless the identity of that person can be verified.

HIPAA Covered Entities Advised to Use BBB Scam Tracker


HIPAA covered-entities have also been advised to use a new tool supplied by the Better Business Bureau (BBB) which will help to keep them abreast of the latest social engineering and phishing scams. The tool can be accessed on the following link: https://www.bbb.org/scamtracker/us

The aim is to promote information sharing to raise awareness of the latest threats. Being aware of the latest scams, and sharing that information with employees, is one of the best ways to protect end users from cyberattacks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.