Before venturing out to attend the 2016 Nextech EDGE conference last week, I decided to write a bit of a teaser blog article on a topic I was covering at my session on cybersecurity—Social Engineering. (Side note: I would like to extend a most sincere thank you to everyone at EDGE who attended my sessions). In order to avoid publishing any spoilers, however, I chose not to go into too much detail and promised to elaborate further once I returned from the conference. Well… I have returned, so it is time for me to make good on that promise. Since we already explained what social engineering is in the previous article, I don’t think it’s necessary to rehash all the basics. Instead, let’s start by taking a look at some examples of social engineering tactics that are commonly employed by hackers and cybercriminals.

On this blog, we’ve had a lot of discussion about the problem of human behavior when it comes to cybersecurity. For example, we have looked at the Sony Pictures breach, which was caused by spear-phishing emails. We looked at Edward Snowden’s hack of the NSA, which he accomplished by simply calling agents and requesting their login credentials (a combination of “pretexting” and phone phishing). We even examined the notorious agent.btz worm that spread through the entire DoD network when an agent used a USB drive he found in a parking lot. While all of the abovementioned data breaches were accomplished by different means, they all have one thing in common—all three of them employed some form of human-based tactic. The biggest reason that humans have potential to be a data security factor can be summed up in two words… Social Engineering.

In our last blog article, we took a look at how human behavior is the most frequently encountered threat to data security. So, what to do? You can’t have 100 percent control over every problematic aspect of human behavior, after all. However, there are some ways for you to simply remove the human element from your data security equation, such as purchasing a private, HIPAA compliant Cloud or adopting a SaaS-based EMR/EHR solution.

On December 18, just weeks before the end of 2015, Congress passed its usual Federal Omnibus Government Spending package for the year. Included in this piece of legislation was a certain 2009-page-long document—the Cybersecurity Act of 2015. Luckily for you, I decided to go ahead and do all the grunt work for our readers so that none of you have to read through this monster of a document (FYI—I very nearly froze up my computer trying to download a gigantic PDF file of it, but luckily I found that I could just read it straight off the Congress.gov website instead). To be honest, I quickly figured out that only about nine pages of this cybersecurity law are actually relevant to healthcare providers (the other 2,000 pages… not so much). Out of those nine pages, there are around six main items that healthcare providers need to be aware of from the Cybersecurity Act of 2015:

According to data compiled by IBM X-Force Interactive Security Incidents, just shy of 100,000,000 healthcare records have been compromised by data breaches in 2015. And the vast majority of these breaches were experienced by practices operating in the United States. To make matters worse, the healthcare industry continues to be one of the leading sector for data breaches. Healthcare data breaches accounted for 8.4 percent of all cybersecurity incidents in 2015 (according to the IBM data). While a sizable chunk of those who experienced incidents (38.9 percent) chose not to disclose the cause, there was still enough data in the study to identify the top five most frequent cybersecurity threats that resulted healthcare data breaches in 2015.

A recent study conducted and released by NetSfere Enterprise Messaging took a close look at how messaging apps are being used in today’s business world. Some of the study’s findings regarding security practices are, unfortunately, rather disturbing. Based in these findings, it would seem that many healthcare businesses and organizations who handle PHI (providers, practices, insurers, and payers alike) are playing HIPAA-Russian roulette when it comes to the use of mobile SMS/MMS tools.

The stakes for healthcare security have never been higher, yet healthcare organizations and EHR companies struggle to maintain compliance with an ever-increasing number of requirements and regulations — like the upcoming third stage of Meaningful Use.

One of the unavoidable side effects of the shift to Electronic Medical Records (EMR) has been a nearly exponential surge in the amount of digital data storage being occupied by the healthcare industry, which some are referring to as the “data deluge.” In all honesty, this data flood of epic proportions is something that everyone really should have seen coming a long time ago. It’s been pretty obvious for quite some time. For a number of years already, in fact, medical-related data has been consuming increasingly bigger pieces of the global storage pie.