In 2020 phishing is still the favorite tactic hackers use to access patient data. Cybercrime is growing and hackers are becoming more creative at hiding themselves to get into systems through email. When it comes to security incidents, email is the most common point of compromise (59%), followed by human error (25%), according to the 2019 HIMSS Cybersecurity Survey. Busy staff who haven’t been trained in cybersecurity are vulnerable, putting patient data at risk.
Although the situation sounds dire, there is a lot you can do to defend against phishing and cybercrime. Basic HIPAA security requires good malware protection, and everyone should have it today. But to set yourself apart and do more to protect against phishing, the key is cybersecurity training for staff. Teaching basic cybersecurity defense is critical because phishing targets people, and people can learn to spot trouble – and the HIPAA Security Rule requires it.
Be Aware of a New Phishing Tactic
In late 2019 a new technique emerged, called conversation-hacking. It’s a form of “spear phishing”, a personalized direct contact that fools an email recipient into thinking the phisher is someone they know. A hacker uses previously compromised credentials to enter into an email thread that already exists. They then masquerade themselves as a senior leader within the email recipient’s organization (e.g. CEO or CFO) and request sensitive information (e.g., credentials) or even the transfer of funds to an account accessible to the scammer.
HIPAA Security Requires Stopping the Phishers
All requests for sensitive or secure information over email should cause someone to stop and “think before you click”. If in doubt, ask the IT department to look at a suspicious email or request. There are other common signposts of phishing, including misspellings in the email, awkward grammar or punctuation, and an email address that looks unconnected to the name, or different from most you might recognize. We suggest people scroll over the email sender’s name and look at the originating address – if it looks unconnected to the name itself, it’s likely a phishing email – show the IT security staff immediately, and don’t click any links or open any attachments with the email.
HIPAA Compliance Starts with Risk Analysis
A good HIPAA Risk Analysis, and the HIPAA security assessment that goes with it, will assess strengths and weaknesses in your cybersecurity defenses. It also reminds you of the importance of cybersecurity training, and tracks who has been trained and when. When training is included, on a regular, repeat basis, then defending against phishing is much easier.
Busy people who are well meaning and polite may not be skeptical or suspicious about emails that require a closer look. A healthcare organization’s workforce is the backbone of its compliance program. When employees are engaged in maintaining the HIPAA Risk Management program, they are better able to help maintain HIPAA security. Phishing targets people who don’t know any better and haven’t been trained on what to look for. Once they’ve been trained, they will “Think Before You Click” and may save you from a devastating breach.
The HIPAA E-Tool® Covers Risk Analysis and Includes Security Training
We have complete HIPAA compliance coverage for providers, health plans and business associates, of every kind, large and small. We understand cybersecurity, and phishing in particular and can help create a culture of compliance among the workforce with our step by step guidance, policies and a Risk Management module. Every HIPAA question answered.