Phishing Emails: One Click and That’s It!

Many health care entities recognize that cybersecurity threats present a substantial risk to their organization. Moreover, the HIPAA Security Rule requires health care providers to develop and implement policies and procedures to ensure the confidentiality, integrity and availability of protected health information. However, while entities aim to secure health data, a recent study of health care organizations concludes that phishing attacks still remain a major threat in the health care setting.

What is Phishing?

Phishing occurs when emails are sent to individuals or entities in an attempt to fraudulently gain access to personal information or introduce malware into the computer system. These emails are often disguised to look familiar to the recipient. The perpetrator may disguise their communication to appear to be from a colleague, family member or friend. They may also attest to be from a reputable source, like your bank, PayPal or other legitimate websites. They request that you click on a link or open an attachment. Fraudulent links will generally request that you update your information by entering your username or password. Some may ask for other types of personal information like address, date of birth, social security number or credit card information. Fraudulent attachments may contain malware, the most common being ransomware, which has had a significant negative impact on a number of industries, including health care.

In March of 2019, JAMA released the results of a study in which mock phishing emails were sent to employees of six U.S. hospitals over a period of almost seven years to analyze how often employees of those organizations would click on mock phishing emails. Approximately 2.9 million mock emails were sent, categorized as office related, personal or information technology emails.  Just under 422,000 of those mock emails were accessed. Those numbers reflect that 1 in 7 of the mock phishing emails was opened, demonstrating how simple it is to make health care entity’s information systems vulnerable to malware attacks.

An important finding in the study was that the more employees were exposed to mock phishing emails and educated on the consequences of exposure, the less likely they were to open subsequent phishing emails. Thus, employee training and awareness campaigns are essential to reducing the threat of exposure.

Reduce Your Organization’s Risk of Being a Victim of a Phishing Scheme

There are ways that entities can reduce their risk of becoming victims of phishing attacks, including but not limited to the following:

• Ensure that your entity has a clear and documented policy which addresses how employees should handle email communications. Some entities forbid accessing personal emails on work equipment while others set specific parameters. Your entity should determine the process that works best for your workforce and enforce that policy.
• Train your staff on how they can identify phishing schemes and educate them on the threat that these schemes pose to your organization.
• Ask your Information Technology (IT) personnel to send phishing emails to employees to test the number of employees who fall for phishing schemes after training.
• Consider purchasing cyber insurance to protect your entity in the event of a malware attack.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.