Nearly 90% of Cyber Breaches are Caused by…

Every day, pharmacies and their hardworking staff safeguard patients’ Protected Health Information (PHI), but breaches still occur. The June 2023 Health and Human Services Office for Civil Rights (OCR) Cybersecurity Newsletter focused on providing an insight into cybersecurity authentication and tips for building a more robust “wall” for malicious actors to encounter before a breach could occur. The OCR newsletter indicated that according to a 2023 Data Breach Investigations Report, “86% of [cyber] attacks to access an organization’s Internet-facing systems (e.g., web servers, email servers) used stolen or compromised credentials” and “robust authentication serves as the first line of defense against malicious intrusions and attacks”.

As mentioned in the OCR newsletter, the National Institute of Standards and Technology’s Digital Identity Guidelines believes that “historically, three factors form the cornerstones of authentication:

  • Something you know (e.g., password, personal identification number (PIN))
  • Something you have (e.g., smart ID card, security token)
  • Something you are (e.g., fingerprint, facial recognition, other biometric data)”

Multi-factor authentication is a common method for ensuring the person gaining access to a system is, in fact, who they say they are. It would require one element from two different bullets listed above, such as a password plus a security token. The Cybersecurity Newsletter states that “Cyber-attacks often begin with a compromised password that is used to gain initial access to an electronic information system.” If a password is compromised through a successful phishing attempt, the second element (e.g., security token) may be enough to block unauthorized entry long enough for the Security Officer to perform an Information Systems Activity Review and identify the unusual activity and intervene.

Safeguarding PHI and being compliant with the HIPAA Security Rule is required for any entity handling PHI. The Security Rule was designed to be flexible, allowing providers with varying scopes, sizes and resources to be compliant. Whether your pharmacy has been around for 30 years or 30 days, a thorough evaluation of your HIPAA program should be done at least annually. The beauty of the PAAS National® Fraud, Waste & Abuse (FWA) and HIPAA Compliance Program, is that it mirrors the flexibility of the HIPAA Security Rule and is anything BUT a cookie-cutter program. Pharmacies perform a risk analysis upon enrolling in the program and answer questions which allows us to customize a compliance policy and procedure manual specific to your pharmacy. PAAS Analysts are always happy to discuss how the PAAS FWA/HIPAA Compliance Program is built to help you address federal regulations. Call (608) 873-1342 or visit to see how you can become an FWA/HIPAA Compliance member today.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  • Current FWA/HIPAA Compliance members can
    • Review sections 11.3.4 Information System Activity Review, 11.4 Workforce Security and 11.14 Access Control of the Policy and Procedure manual for more information
      • See Appendix B for the Information System Activity Review Log
    • Utilize the Employee Request for Access form in Appendix B to record the level of access and any keys or identification badges each employee possesses in order to perform their job duties, AND to record when the access is terminated, and keys/badges are returned
  • Provide each employee with their own unique log-in credentials and ensure their HIPAA training discusses the importance of safeguarding their passwords and all keys/security badges
Sara Hathaway, PharmD