Cybersecurity Importance

By Lynette Peterson, CHC, CHA 

There is a lot of talk about cybersecurity and most of us assume that it is a technical issue for someone else to worry about. Although there are technical components involved, there are policies and procedures regarding electronic security and transmission of data that should be in place for all employees to follow. These policies and procedures should go beyond the typical password requirements and include topics such as identifying phishing emails & phone calls, reporting suspicious emails, and appropriately cleaning/clearing network uploading and downloading files that may contain patient healthcare information.  

According to the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3), there were at least 649 ransomware attacks on critical infrastructure organizations from June 2021 to December 2021. The FBI has seen a 34% increase in complaints regarding phishing incidents from 2020 to 2021. Click Here for your copy of the FBI Internet Crime Report 2021.

Additionally, The Civil Cyber Fraud Initiative was launched in October 2021 by the Department of Justice (DOJ) to pursue cases against government contractors that knowingly used deficient cybersecurity products and services which put information systems at risk, as well as failures to report cybersecurity incidents. A case example is a recent settlement with medical services contractor Comprehensive Health Services (CHS) to resolve alleged False Claims Act (FCA) violations. The case alleged that for medical services provided in Iraq and Afghanistan, between 2012 and 2019, CHS failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure EMR system. When CHS staff scanned medical records for the EMR system, CHS staff saved and left scanned copies of some records on an internal network drive, which was accessible to non-clinical staff. Even after staff raised concerns about the privacy of protected medical information, CHS did not take adequate steps to store the information exclusively on the EMR system. Read more about this case.

Make sure all your employees know the cybersecurity requirements for your organization and what to do if they are a target of a phishing attack.

The ACE Team,

© 2021, Auditing for Compliance & Education, Inc.