“Phishing” occurs when emails are sent to individuals or entities in an attempt to fraudulently gain access to personal information or introduce malware into the computer system. These emails are often disguised to look familiar to the recipient. The perpetrator may disguise their communication to appear to be from a colleague, family member or friend. They may also attest to be from a reputable source, like your bank, PayPal or other legitimate websites. They request that you click on a link or open an attachment. Fraudulent links will generally request that you update your information by entering your username or password. Some may ask for other types of personal information like address, date of birth, social security number or credit card information. Fraudulent attachments may contain malware, the most common being ransomware, which has had a significant impact on the health care industry.
What Is “Spear Phishing”?
Spear phishing is a specific kind of phishing that customizes its attack to specific individuals. For instance, the perpetrator may study an individual’s social media profiles and send them an email that appears to be from a co-worker or organization that they belong to. Just as with normal phishing exercises, the goal is for the target individual to click on a fraudulent link or attachment that will either provide the perpetrator with personal information or provide an opportunity to introduce malware into their computer system.
How Are Phishing Schemes Impacting Health Care Entities?
The threat of phishing activities to health care entities has steadily increased. Perpetrators are learning that the types of identifying information that health care entities attain and maintain are the exact types of identifiers they need to participate in a wide range of fraudulent activity from filing false tax returns to credit card fraud. These identifiers include data that health care professionals work with daily, like date of birth, social security numbers and health plan information.
When health care professionals fall victim to these phishing schemes it can threaten their entire organization. With the widespread use of Electronic Medical Records (EMRs), compliance professionals are seeing ransomware attacks on the rise as entity administrators attempt to recover their vital data.
Reduce Your Risk
- Ensure that your entity has a clear and documented policy which addresses how employees should handle email communications. Some entities forbid accessing personal emails on work equipment while others set specific parameters. Your entity should determine the process that works best for your workforce and enforce that policy.
- Train your staff on how they can identify phishing schemes and educate them on the threat that these schemes pose to your organization.
- Ask your Information Technology (IT) personnel to send phishing emails to employees to test the number of employees who fall for phishing schemes after training.
- Consider purchasing cyber insurance to protect your entity in the event of an attack.
Identify Phishing Activity
- Often these fraudulent emails will have email links that are misspelled. For example, instead of firstname.lastname@example.org, it may have email@example.com. Those variations are small and often overlooked.
- Be careful about the information that you share on social media. Try not to post personal information like your address, phone number and birth date.
- Be suspicious about sites that attempt to redirect you to other similar looking websites.
- If you think an email looks suspicious, contact your supervisor or HIPAA Security Officer so that it can be investigated properly.
Report Phishing Attempts
If you believe that you or someone that you know may have been the victim of a phishing attempt, there are a number of authorities that receive these reports and act to minimize their impact.
- You may file a report with the Federal Trade Commission (FTC). Reports can be sent electronically at FTC.gov/complaint.
- Reports can be made to APWG at firstname.lastname@example.org. This is an anti-phishing workgroup that analyzes and fights cybercrimes.
- Always notify your IT support staff or your HIPAA Security Officer when you believe that you have received a fraudulent email so that they can investigate the email and take action to minimize the threat.
If you have questions regarding phishing and malware, or if you believe that it is time to update your entity’s policies and procedures, please consult a health care compliance expert.
Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page.