With all the technologies and workforce dedicated to protecting our ePHI, we often ask how criminals continue to deliver malicious logic payloads (i.e. fraudulent email or phishing) that result in a security incident or a breach. We think it should be easy enough to filter out those messages that aren’t legitimate and even easier to spot the ones that make it to our inboxes – but the truth is that the hackers continue to refine their techniques and many healthcare organizations we speak to are cutting the dollars normally allocated for their training and compliance programs as a result of COVID-19’s impact on their revenue.
Phishing continues to work because a criminal is able to take advantage of some of the very behaviors that make us human, including: trusting that the message we receive is legitimate, adding an urgency to elicit the desired response, and relying on an inadequate amount of time we have to prosecute and analyze every email that hits our inbox. We will share that even we have been the victim of a well-crafted phishing attack; our swift incident response preserved our company’s protected information, and no damage was sustained (aside from our egos).
The most common phishing attempts center around a message asking the recipient for their credentials (e.g. usernames, passwords, etc.). These emails appear to come from within the organization or from the outsourced information services or technology company. Some examples include requests to reset a password that include inputting a user’s current password or sharing a document located in a (fake) external service (e.g. Dropbox, Google Drive, MS Teams, etc.). Criminals are also deploying remote access toolkit (RAT) software in Trojan Horse fashion (e.g. using macro code in an Office document, etc.) that can capture keystrokes and steal files from the workstation or mapped network server.
We understand that 2020 has not been a banner year for many healthcare organizations, the bad guys are not taking time off. Phishing training should be conducted every year quarterly or monthly, depending on how vulnerable the workforce remains, in support of §§164.308(a)(5)(i)-(ii). A single phishing email can and has resulted in ePHI being stolen and in electronic health record systems being encrypted and compromised. Ironically, phishing campaigns are not expensive when viewed from a per-workforce member perspective. Click our "fish" below if you have been curious about phishing but didn’t know whom to ask.
Stay (HIPAA) safe,