HIPAA Compliance and Phishing: Email Attacks Can Result in HIPAA Penalties

A phishing attack on a HIPAA-covered entity has lead to in a $400,000 HIPAA breach fine for non-compliance. This is not the first time a phishing attack has resulted in a penalty from OCR for non-compliance.

The failure to stop phishing attacks does not necessarily lead to a HIPAA penalty, but failing to implement adequte protections to prevent attacks could land HIPAA-covered entities in hot water.

HIPAA Compliance and Phishing

The U.S. Department of Health and Human Services’ Office for Civil Rights has the responsibility for policing enforcing Health Insurance Portability and Accountability Act Rules. While OCR carries out audits of covered entities to identify aspects of HIPAA Rules that are proving difficult for covered entities, to date, no fines have been issued due to HIPAA violations discovered during compliance audits. The same is certainly not so when it comes to investigations of data breaches.

OCR looks into every data breach that impacts more than 500 individuals. Those investigations often lead to the discovery of violations of HIPAA Rules.  Any HIPAA-covered entity that experiences a phishing attack that leads to the exposure of patients’ or health plan members’ protected health information could have previous HIPAA violations uncovered. Just one phishing attack that is not thwarted could therefore end up in a massive fine for non-compliance.

What HIPAA Rules cover phishing? While there is no specific reference to phishing in HIPAA, phishing is a threat to the confidentiality, integrity, and availability of ePHI and is covered under the administrative obligations of the HIPAA Security Rule. HIPAA-covered groups are required to provide ongoing, appropriate HIPAA training to staff members. §164.308.(a).(5).(i) requires security awareness training to be provided, and while these are addressable requirements, they cannot be disregarded.

These administrative measures include the issuing of security reminders, protection from malicious software, password management and login reviewing. Employees should also be taught how to identify possible phishing emails and told about the correct response when such an email is received.

The HIPAA Security Rule also requires technical security measures to be created to protect against threats to ePHI. Reasonable and appropriate security measures, such as encryption, should be employed to protect ePHI. Since ePHI is often available through email accounts, a reasonable and appropriate security measure would be to employ a spam filtering solution with an anti-phishing component.

Given the frequency of attacks on healthcare providers, and the extent to which phishing is involved in cytberattacks – PhishMe reports 91% of cyberattacks start with a phishing email –  a spam filtering solution can be classed as a vital security control.

The danger posed by phishing should be highlighted during a risk analysis: A necessary element of the HIPAA Security Rule. A risk analysis should find risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be mitigated as part of a covered entity’s security management process.


Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has a focus data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone