It’s widely recognized that social engineering represents one of the biggest threats to healthcare organizations. On the other hand, a lot of IT people throw up their hands in surrender, essentially crossing their fingers and anxiously hoping that the often minimal training offered to staff will be sufficient to keep the organization on the right side of HIPAA.
But this approach misses the point. HIPAA isn’t a collection of red tape and bureaucracy, lying in wait like a “gotcha” trap for unwary individuals or organizations. It’s a set of guidelines designed to respect and honor patients as they negotiate the healthcare system.
Another approach is to lean heavily on human-centered training, such as instructing users on how to create good passwords or requiring everyone to change their passwords every 60 or 90 days. This type of strategy makes more sense on a surface level. After all, social engineering threats are often generated by human error – or overt bad acts. Minimizing unsafe practices should also minimize the risk of data breaches.
However, relying on human perfection to defend against social engineering-related threats is ultimately doomed to fail. After all, humans are, well, humans. Even when we are diligent and well-intentioned, we miss things. Or we’re misled by deceptive tactics like phishing emails or links to sketchy websites loaded with malware. We get distracted and we get bored. Simple human error can introduce a cascade of disastrous consequences.
A better approach to reducing the threat of social engineering is to combine common sense human strategies with reliable technology. User-friendly technology like VPNs, multi-factor authentication, and password managers can be very effective in defending against phishing attacks, malware, and other security hazards – and more importantly, help to keep your organization HIPAA compliant.
Do you have questions about your organization’s HIPAA compliance? Contact Matterform for a free exposure analysis today.