Updated March 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

How to Use HIPAA to Defend Against Common Cybersecurity Attacks

While much of the anti-malware technology we have to protect us from hackers has become increasingly more sophisticated, so have attackers’ methods. According to the U.S. Department of Health and Human Services (HHS), incidents of hacking affecting 500 people or more increased by 45% from 2019 to 2020. If you operate a business that frequently processes electronic protected health information (ePHI), this statistic is certainly something to pay attention to. So, if cybersecurity attacks are on the rise, what are the most common attacks to look out for, and how can you defend against them?

Phishing

Phishing is a type of attack where someone impersonates another individual in order to persuade someone to share sensitive information, usually via email. It was recently reported that over 42% of ransomware attacks in Q2 of 2021 involved phishing. One way you can defend against phishing is by learning how to spot a phishing scam and educating your employees on how to do the same. Your organization should also have an established protocol to follow if any suspicious or out-of-the-ordinary communications are received.

Luckily, if you’ve structured your organization’s policies and procedures around the HIPAA Security Rule, much of this is already baked into the Security portion of your HIPAA compliance plan. The Security Rule requires that all employees take part in a security awareness and training program on an ongoing basis. This ensures that everyone who has access to ePHI is trained, up to date on the latest cybersecurity threats, and knows how to avoid them.

One practice many organizations have employed is sending fake phishing emails out to members of the workforce to gauge employee response. They track the opens, how many times the suspicious email was reported, etc. This will allow management to get a sense of how aware employees are of this type of scam, so they can implement future training accordingly.

We also recommend installing anti-malware software on all organization devices, so training and employee awareness are not your only lines of defense. Effective anti-malware software can help flag or even block certain communications before they reach employees’ inboxes.

Weak Cybersecurity Practices

It should go without saying that if you want to have a strong defense against cybersecurity attacks, you need to have strong cybersecurity practices. Although this might seem like common sense, an alarming amount of attacks could have been prevented if the organization had implemented a more robust cybersecurity program. In fact, over 80% of breaches that occur due to hacking involve compromised or brute-forced credentials.

Weak passwords and a lack of 2-factor authentication (2FA) are often to blame for breaches of data and their resulting consequences. Without these extra steps that verify that the person attempting to access ePHI is who they say they are, you put your organization and the information you’re safeguarding at constant risk. We recommend implementing 2FA as soon as possible, along with the use of a password manager like LastPass, which will help you create complex passwords and store them. That way, you only have to remember one master password, and managing your accounts immediately becomes much simpler.

Remember that these safeguards should not be viewed as “one and done” forms of implementation, but should be regularly monitored and updated to ensure ongoing safety and security. This applies to both technical and non-technical evaluations. Periodic review of security protocols is a requirement under the HIPAA Security Rule, and should therefore be complied with and taken seriously.

Exploiting Known Vulnerabilities

In addition to phishing and weak cybersecurity practices, exploiting known vulnerabilities is another common way that data is breached. A known vulnerability is a vulnerability whose existence is publicly known. The National Vulnerability Database (NVD) is where information about known vulnerabilities is kept.

When it comes to easily-exploitable vulnerabilities in an information technology infrastructure, many of them can be found on mobile devices, servers, desktop operating systems, apps, web software, firewalls, firmware, and databases. This is why it is so important to regularly update and patch systems that fix bugs and holes that leave data vulnerable. It may sometimes be necessary to disable certain services or applications, if a vulnerability is discovered, until a solution can be identified.

Any legacy systems, meaning, unsupported applications or devices, should be replaced with those that are up to current cybersecurity standards. If they cannot be replaced, additional safeguards should be implemented to increase protection. As previously mentioned, in order to stay compliant with the HIPAA Security Rule, regular evaluations and checks of current security systems are essential. 

The following is a list of ways you can stay up to date with updates, patches, potential vulnerabilities, and how those vulnerabilities can be mitigated:

  • Update your systems and programs when patches are released (Provided IT approves those updates)
  • Subscribe to Cybersecurity and Infrastructure Security Agency (CISA) alerts
  • Subscribe to HHS Health Sector Cybersecurity Coordination Center (HC3) alerts
  • Participate in an information sharing and analysis center (ISAC) or information sharing and analysis organization (ISAO)
  • Implement a vulnerability management program, involving a vulnerability scanner to detect vulnerabilities (i.e. obsolete software, missing patches, etc)
  • Regularly conduct penetration tests to identify weaknesses that could be exploited by an attacker

By establishing these policies, regularly reviewing them and your systems, and implementing the previously mentioned safeguards, a strong security program can be achieved.

Organizations that don’t take cybersecurity attacks seriously make themselves an open target to hackers and other bad actors. Our HIPAA Prime™ program helps you train your staff and provides you with a customized HIPAA compliance plan, complete with Privacy and Security Policies and Procedures. When it comes to HIPAA, we do the heavy lifting so you can focus on running your business.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.

  1. U.S. Department of Health and Human Services Office for Civil Rights Breach Portal
  2. Q2 Ransom Payment Amounts Decline as Ransomware becomes a National Security Priority
  3. Verizon 2020 Data Breach Investigations Report
  4. National Vulnerability Database
  5. Cybersecurity and Infrastructure Security Agency Alerts
  6. HHS Health Sector Cybersecurity Coordination Center Alerts

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)