In the United States, the healthcare sector is being focused on, by hackers and scammers, with phishing attacks on healthcare organizations one of the most simple and most experienced methods of gaining access to email accounts and protected health information.
A phishing email is shared to a healthcare employee along with a seemingly legitimate reason for showing their login credentials. This gives the scammers access to an email account and the protected health information of patients in those emails. Emails accounts contain lots of information that can be used in more further attacks. A compromised email account can be used to share more phishing emails within a company. One response to a phishing email can results in many email accounts infiltrated. One phishing email can result in a major security incident and expensive data breach.
There have been lots of phishing attacks on healthcare groups in 2017and the past 12 months has seen numerous phishing-related data breaches added to the Department of Health and Human Services’ Office for Civil Rights (OCR) Breach Portal. Any violation of protected health information that leads to more than 500 records being exposed is looked into by OCR. During investigations of phishing attacks on healthcare groups, OCR often finds that Health Insurance Portability and Accountability Act Rules have been breached. Healthcare groups are found not to have performed risk assessments – as is required by the HIPAA Security Rule – and have failed to spot the risk of phishing and take appropriate steps to reduce risk to an acceptable level.
When groups are discovered to have breached HIPAA Rules, heavy fines may be a result. In recent times, OCR has reviewed many healthcare phishing attacks and has taken some cases forward to settlement.
The HIPAA Security Rule states that protections must to established to safeguard the confidentiality, integrity, and availability of PHI. While the Security Rule does not state exactly which security solutions should be implemented, there are two vital anti-phishing controls that should be configured.
A spam filtering solution should be implemented to stop phishing and other malicious emails from being sent to end users’ inboxes. It would be hard to debate that the threat from phishing has been lessened to an acceptable level if no controls are in place to block phishing emails from being shared.
Healthcare employees must also be given security awareness training. All staff members should be informed of the danger of phishing and the methods used by scammers to access computers and data. They should be be familiar with best practices and shown how to identify phishing emails and other dangerous email threats. By blocking phishing emails and training end users, the risk posed by phishing can be significantly cut.
