Posts Tagged email

Phishing Emails: One Click and That’s It!

Phishing Emails: One Click and That’s It!

Many health care entities recognize that cybersecurity threats present a substantial risk to their organization. Moreover, the HIPAA Security Rule requires health care providers to develop and implement policies and procedures to ensure the confidentiality, integrity and availability of protected health information. However, while entities aim to secure health data, a recent study of health care organizations concludes that phishing attacks still remain a major threat in the health care setting.

What is Phishing?

Phishing occurs when emails are sent to individuals or entities in an attempt to fraudulently gain access to personal information or introduce malware into the computer system. These emails are often disguised to look familiar to the recipient. The perpetrator may disguise their communication to appear to be from a colleague, family member or friend. They may also attest to be from a reputable source, like your bank, PayPal or other legitimate websites. They request that you click on a link or open an attachment. Fraudulent links will generally request that you update your information by entering your username or password. Some may ask for other types of personal information like address, date of birth, social security number or credit card information. Fraudulent attachments may contain malware, the most common being ransomware, which has had a significant negative impact on a number of industries, including health care.

In March of 2019, JAMA released the results of a study in which mock phishing emails were sent to employees of six U.S. hospitals over a period of almost seven years to analyze how often employees of those organizations would click on mock phishing emails. Approximately 2.9 million mock emails were sent, categorized as office related, personal or information technology emails.  Just under 422,000 of those mock emails were accessed. Those numbers reflect that 1 in 7 of the mock phishing emails was opened, demonstrating how simple it is to make health care entity’s information systems vulnerable to malware attacks.

An important finding in the study was that the more employees were exposed to mock phishing emails and educated on the consequences of exposure, the less likely they were to open subsequent phishing emails. Thus, employee training and awareness campaigns are essential to reducing the threat of exposure.

Reduce Your Organization’s Risk of Being a Victim of a Phishing Scheme

There are ways that entities can reduce their risk of becoming victims of phishing attacks, including but not limited to the following:

  • Ensure that your entity has a clear and documented policy which addresses how employees should handle email communications. Some entities forbid accessing personal emails on work equipment while others set specific parameters. Your entity should determine the process that works best for your workforce and enforce that policy.
  • Train your staff on how they can identify phishing schemes and educate them on the threat that these schemes pose to your organization.
  • Ask your Information Technology (IT) personnel to send phishing emails to employees to test the number of employees who fall for phishing schemes after training.
  • Consider purchasing cyber insurance to protect your entity in the event of a malware attack.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

How Can You Ensure Your Email is Safe and HIPAA Compliant?

How Can You Ensure Your Email is Safe and HIPAA Compliant?

Using free email providers like Gmail, Yahoo, and MSN are expedient and easy to set up. It’s the reason why some healthcare providers rely on them. While you could stretch to make the argument that these email services can be configured to be “HIPAA capable,” none in the eyes of security experts are HIPAA compliant. And not complying with the safeguards required by HIPAA law can lead to unnecessary violations and costly fines.

What Makes Email Vulnerable?

We all send countless emails every day without thinking about it. But from a technological and safety perspective, there are several links in the chain, which make email vulnerable to malicious interference. Once an email is sent it moves from your workstation to your email server…then onto your recipient’s email server…from there your recipient’s workstation pulls the message from their server. Along the way, there’s a copy of the email stored on each workstation and server.

To satisfy HIPAA requirements, protected health information must be secure both at rest and in transit. This entails having your email messages protected while resting on workstations and servers, but also being secure until they reach the intended recipient’s inbox. There are paid services, like Google’s G Suite, that claim to be HIPAA compliant, but they don’t encrypt your email all the way to the recipient’s inbox. If your email is not secure while in transit, it is susceptible to theft.

The Business Associate Aspect

A big issue with using free email providers is the lack of business associate agreements. As a responsible health care provider, you must have signed agreements with any third-party vendor that handles your protected health information. This means your email and file sharing service needs to sign a business associate agreement in order for them to be HIPAA compliant. Unfortunately, this isn’t possible with free email providers and taking a chance on using one could have costly and disastrous consequences.

Phoenix Cardiac Surgery found this out the hard way in 2012. That’s when they were forced to pay the Department of Health and Human Services $100,000 for HIPAA violations. One of the company’s abuses— as uncovered by the Office for Civil Rights’ investigation—was transmitting electronically protected health information to its employees’ private email accounts using an internet-based email service and posting sensitive data on a publicly accessible, Internet-based calendar service. Phoenix Cardiac Surgery did not have a business associate agreement in place with these vendors, which is a violation of the HIPAA Security Rule.

The Best Way To Secure Your Email

At PCIHIPAA, we offer an email add-on that encrypts your emails and integrates with Outlook, Gmail, and other popular email providers. It’s easy to use, as it allows you to send messages as you normally would. Your recipients are able to view your messages without any software on any browser. With our HIPAA-compliant email solution, you can track and verify that your email has been received by the intended patient. We utilize military-grade end-to-end encryption which ensures that cybercriminals aren’t able to intercept your sensitive data and disrupt your business.

We’ve all heard horror stories about protected health information being compromised via email. It’s simply not worth risking HIPAA violations and fines to use an unsecured email provider.

Call us today at 800-588-0254 and let us know you’re a Medical Association of the State of Alabama member to find out how we can set up an email solution that gives your practice peace of mind and 100% assurance of being HIPAA compliant.

Posted in: HIPAA

Leave a Comment (0) →

Cyber Security:  Five Common Phish Attack Schemes

Cyber Security:  Five Common Phish Attack Schemes

Hackers only need you, that’s right just you. They are sneaky and know the general population is busy and doesn’t pay close attention to the emails they receive. Hackers know people are comfortable in their daily habits. They exploit this behavior by creating email scenarios designed to encourage a click. They need just one person to click just one time to infect their computer with malware that grants them access to the information they need to launch a more sinister attack.

“Phishing attacks are by far the most common cyber attack today, and these attacks continue to get more and more sophisticated.  Gone are the days of the ‘dear sir’ attack-now we have to worry if an email appearing to be directly from a co-worker is actually from them,” said Steven Hines, president of Threat Advice.

Because hackers are continually changing their tactics, clicking on a nefarious email or link leading to a cyber attack can happen to anyone. Recognizing the threat before it turns into a disaster is just one way we each can be more prepared. The following are five ways hackers are currently trying to access your business and personal information:

  1. Look but don’t click. If the email address or the attachment name seems “phishy,” it probably is. Are there spelling or grammatical mistakes? Companies with professional staff are not going to make these types of mistakes.
  2. Analyze the salutation and signature closely. Most legitimate businesses will use your name rather than a generic greeting like “Dear customer.” The business should provide ways to contact them in the signature. If that’s not provided, it could be a phishing attempt.
  3. Know your brands. Hackers will spoof your favorite brands and make their emails look enough like the actual brand to fool you. Is the logo color wrong? Are there additional words in the brand name? Did you sign up to receive emails from them? Don’t click any links before you examine the email to confirm the sender.
  4. Urgent or Threating – No one likes a bully. A common phishing technique is to use harassing or threating language in the subject line or email content or to create a sense of urgency to handle a fake problem. Most legitimate banks, utilities/municipalities and businesses will not ask you to provide your private information via email nor threaten you in an email.
  5. What grandma said…“If it’s too good to be true, it probably is!” Hackers will continue to send phishing emails promising riches and prosperity if you only send your social security and bank information. Why? Because unfortunately, people still take the bait.

Article contributed by Cobbs Allen. Cobbs Allen is an official Gold Partner with the Medical Association. For more information about cyber liability insurance and how it protects your business, contact Margaret Ann Pyburn.

Posted in: MVP

Leave a Comment (0) →

Texting and Emailing in the World of HIPAA

Texting and Emailing in the World of HIPAA

If you experience anxiety every time you consider texting and/or emailing in your health care setting, you are not alone. On one hand, the world that we live in necessitates that information is communicated in a quick and easy manner. The ability to text or email staff and patients has become a high priority for many health care entities. On the other hand, patient privacy and confidentiality is essential to meeting compliance standards. Though emailing and texting are convenient, it certainly does not come without the possibility of pitfalls. It is a complex issue that requires meeting several factors in order to be implemented properly.

But Everybody Is Doing It, Right?

The perception is that many health care entities are already taking advantage of emailing and texting capabilities.  That may be accurate.  But the bigger question is whether they are utilizing those tools in accordance with HIPAA Privacy and Security requirements.  Health care entities should consider the following:

A Risk Analysis is key.  An adequate Risk Analysis is required to be performed at the outset of the practice, prior to developing a HIPAA policy.  This Risk Analysis identifies the type of information that you maintain or access and the areas within your entity where protected health information (PHI) is vulnerable. The Risk Analysis should be reviewed, and amended if necessary, whenever there is a change in your information technology environment.  This includes adopting the use of email and text messaging. The entity will need to consider potential vulnerabilities and threats, then document their plan to ensure that health information stays secure.

Show me the policy.  The HIPAA Privacy and Security policy must document your entity’s use of these services and define how employees are to utilize them.  This includes specifying whether only business owned devices can be used or whether the entity allows employees to utilize their own personal device (BYOD). The policy should also be specific about any differences in procedure for emailing and texting internally, versus outside communication with patients and other health care providers.  The policy requirement should be followed by adequate training.

Encryption, encryption, encryption.  Many entities that utilize PHI in email communications secure the information via encryption.  Within health care entities, the information is often secured by firewalls.  Firewalls make it much easier to implement security measures, oversee procedures and secure information.  Some health care entities choose to transmit PHI via electronic health records and customized patient portals. However, using emails to properly transmit PHI outside the entity is a much more complicated process.  To properly transmit PHI via email, encryption must be utilized.  Encryption software will resolve security issues because the patient receives an email containing a link which requires a unique username and password to access the PHI. Some patients find the process of logging in and remembering required passwords to be cumbersome, but others appreciate knowing that their information is secure.

Less is moreWhen communicating with individuals outside of your entity about PHI, utilize the Minimum Necessary Rule.  The Minimum Necessary Rule requires health care entities to limit the PHI produced to the amount of information necessary for the recipient to carry out their function.  For example, if another provider requests a patient’s diabetes lab work, only provide the requested lab work and not the patient’s entire medical record.  Also, it is recommended that you not share sensitive information including, but not limited to, a patient’s mental health, communicable disease status, child or elder abuse, and substance abuse issues.  The entity’s policies/procedures should define and describe how sensitive information should be transmitted.

The patient gets their way. HIPAA requires entities to communicate with patients in the manner determined by the patient, so long as it is reasonable. An entity’s Notice of Privacy Practices will generally articulate methods of intended communication by the entity.  However, a patient may choose not to receive communications through a traditional method. An example would be a patient request not to use U.S. mail, but to use email instead.  That entity may find that they do not have encrypted email capabilities that would appropriately safeguard the information. In this scenario, the health care entity must still comply with the patient’s request; however, they should have the patient sign a form that memorializes the patient’s request to use email communication and documents the risks associated with this request.

The guidance above does not apply to patient initiated communications. Patients are not considered to be HIPAA covered entities and therefore, their actions are not HIPAA violations.  Thus, patients are free to initiate emails or text messages with health care providers at their pleasure. Health care entities should have a form on hand for the patient to sign prior to responding to an email or text message from the patient. This form documents that the patient is aware of the inherent risk of email or text message communications, but wishes to receive the communication in that form anyway. This will help to satisfy the patient’s preference while helping to shield the health care entity from liability if communications are intercepted beyond the entity’s control.

Texting Has Added Risks

Text messages are generally available to anyone who utilizes that person’s phone because there is generally not separate password security for access to the text messaging feature.  Additionally, because the text messages do not pass through the entity’s servers, it is difficult, if not impossible, for IT staff and Security Officers to audit the texts.  And if these communications are intended to be a part of the patient’s record to demonstrate communication, the patient loses the right to amend the communication if it is not readily available in the paper or electronic record. There are vendors who offer “secure texting” solutions. If a health care entity is considering a secure texting vendor, have your designated Security Officer review their system carefully and converse extensively with the vendor about whether their product is indeed secure. A BAA with the vendor is also required. Finally, the entity should revisit its written policy and retrain when necessary.

To ensure that your practice is in compliance, and for assistance with determining whether your entity should proceed with implementing text or email communications, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: Legal Watch, Liability

Leave a Comment (0) →