Be more skeptical on the internet. Medical identity theft is extremely profitable for cyber criminals and it’s all too easy with basic phishing tactics. It shouldn’t be.
Getting caught in a phisher’s net can happen to anyone. Recently four employees at Michigan Medicine (University of Michigan Health) fell for a phishing scam and the protected health information (PHI) of 33,850 individuals was exposed. Like many us, the employees were too trusting and followed the criminal phisher’s instructions to give away the keys – their email login information.
As Michigan Medicine explained in its breach notice on October 27, 2022:
“…the attacker lured employees to a webpage designed to get them to enter their Michigan Medicine login information. Four Michigan Medicine employees entered their login information and then inappropriately accepted multifactor authentication prompts which allowed the cyber attacker to access their Michigan Medicine e-mail accounts.”
The emails were job-related communications for patient care and coordination and contained personal information, including names; medical record numbers; addresses; dates of birth; diagnostic and treatment information; and/or health insurance information. The amount and type of information varied by patient.
Two Phishing Incidents this Year
Unfortunately, this latest incident looks similar to one Michigan Medicine reported in March, 2022. In that case a cyber attack through phishing compromised an employee’s email in December, 2021, was discovered in January, 2022, and the PHI of almost 3,000 patients was compromised.
Phishing is a HIPAA Problem
When PHI is compromised by a cyber attack, it becomes a healthcare data breach that must be reported to the Office for Civil Rights (OCR) under the Breach Notification Rule. Michigan Medicine has also notified patients individually and posted a public notice, both required by HIPAA.
OCR will investigate to find out whether Michigan Medicine is complying with HIPAA, whether it has a HIPAA risk analysis – risk management plan, and whether its employees are trained.
Cybersecurity Awareness Training
Most criminal cyber attacks still succeed with simple phishing tactics. It’s true that cyber crime has skyrocketed and some of it is extremely sophisticated designed to pierce through hi-tech defenses. But criminals also use basic tricks to fool unsuspecting staff. People can’t be programmed the way a piece of code defending your network can. On the other hand, people can learn more with basic cybersecurity awareness training.
Cybersecurity awareness training is essential. It’s not technical or expensive and it helps employees both at work and at home on their personal devices.
Training is Required for HIPAA Risk Management
The primary HIPAA requirement – the first compliance priority and strongest defense against medical identity theft – is a full HIPAA risk analysis and risk management program. Training is part of risk management because it helps staff defend, push back and keep the network doors locked. But a full risk analysis will address all the other ways PHI might be at risk, and guide you to create the safeguards HIPAA requires to keep PHI secure.