From HIPAA Safe Issue 19
It seems that every week this year includes a news article detailing how ePHI was stolen through criminal phishing activity. In the summer of 2016 we included a back-page article explaining phishing, provided some free workforce training resources and demonstrated how
a compliance officer or HIPAA security officer can reference Security Rule citations to justify the expense of a phishing campaign (Issue 10). In the two years since, criminals have advanced their techniques and leveraged phishing related malicious software (i.e. malware)
to a much darker purpose that moves from stealing credit cards and personal information to encrypting electronic health record (EHR) systems. Encryption uses a math algorithm to change electronic information (e.g. ePHI) and render it unreadable to anyone lacking the encryption key. Once encrypted, criminals demand payment to decrypt the ePHI and healthcare entities either quietly pay for access to their ePHI or try to restore their EHR from backup media. The encryption and payment attack is more broadly described as “ransomware”. Either ePHI recovery approach removes the EHR from clinical staff and directly affects patient care.
Compounding the issue, criminals are now also establishing ransomware-as-a service models, which partner with malware programmers to share profits gained from healthcare organization payments. These services are fully modern, accept cryptocurrency (a type of
electronic payment) and make it difficult for law enforcement to trace any transaction.
The Office of Civil Rights has made it clear that any CE or BA that has experienced a
successful ransomware attack has a reportable breach event. We may be going out on a limb to say this, but we believe that phishing is one of the most impactful and expensive attack vectors in (at least) the healthcare industry and all organizations should perform phishing campaigns quarterly if possible. Please contact us if we can help facilitate a
phishing project for your company.