- Healthcare phishing attacks are becoming more sophisticated, which is why organizations must remain vigilant in their detection measures, OCR explained in its recent cybersecurity newsletter.
Hackers can take advantage of popular holidays to try and take advantage of individuals, and phishing attacks are also common during tax season, the agency stated. Spear phishing can also be especially damaging to healthcare.
“A spear phishing attack could target an individual in the IT, accounting or finance department of an organization by impersonating the individual’s supervisor and directing the individual to a malicious website or to download a file containing a malicious program,” OCR cautioned. “One of the primary methods of combating phishing attacks of all kinds is through user awareness.”
Phishing attacks can also impersonate seemingly trustworthy sources through different types of media sources. A healthcare employee could receive an email or a text message claiming that their password was hacked. The individual may then be prompted to click on a link to reset her password, but the website she is directed to is fake.
“Once entered into the fake website, the third party that initiated the phishing attack will have the individual’s login credentials for that site and can begin other malicious activity such as looking for sensitive information or using the individual’s email contact list to send more phishing attacks,” OCR explained. “Alternatively, rather than capture login credentials, the link on the phishing message may download malicious software on to the individual’s computer.”
Fifty-five percent of physicians said they had experienced a healthcare phishing attack, according to a 2017 report from Accenture and the American Medical Association (AMA).
Approximately half of those surveyed said a computer virus led to a cybersecurity attack.
“The important role of information sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety,” AMA President David O. Barbe, M.D., M.H.A., said in a statement. “New research shows that most physicians think that securely exchanging electronic data is important to improve health care.”
OCR added in its newsletter that attachments (i.e., documents, spreadsheets) could also be included in phishing messages. The attachments contain malicious software that could infiltrate a device and/or system once opened.
The agency urged covered entities to be adhere to the following steps to maintain strong data security:
- Be wary of unsolicited third party messages seeking information
- Be wary of messages even from recognized sources
- Be cautious when responding to messages sent by third parties
- Be wary of clicking on links or downloading attachments from unsolicited messages.
Coworkers and supervisors can also have their accounts hacked, and covered entities need to ensure that employees are cautious with messages being sent from familiar sources.
Additionally, OCR cautioned healthcare organizations with regard to official looking messages and links.
“Phishing messages may direct you to fake web sites mimicking real websites using web site names that appear to be official, but which may contain intentional typos to trick individuals,” the newsletter read.
OCR even sent out a warning in 2016 that said a phishing scam was HHS leaderhead to target HIPAA covered entities’ employees. The malicious email used a mock HHS department letterhead and had then-OCR Director Jocelyn Samuels’ signature. The agency said the email was meant to look like official OCR Audit communication.
February’s newsletter also stressed the importance of data backup.
“Malicious software that deletes your data or holds it for ransom may not be retrievable,” OCR wrote in the newsletter. “Robust, frequent backups may be the only way to restore data in the event of a successful attack.”
Anti-malware software and system patches must be updated regularly. Patches can reduce the chances of malware exploiting known vulnerabilities on a computer or mobile device operating system, the agency stated.
Finally, OCR advised that multi-factor authentication reduces the possibility that an unauthorized third party can hack into an account using only the account password.
Having more than just a password can also be beneficial if users are not trained on proper password security measures. A 2017 study published in Healthcare Informatics Research found that three-quarters of medical professionals have used another staff member’s password to obtain EHR access at work.
Fifty-seven percent of respondents also guessed they have borrowed someone else’s password an average of 4.75 times.
OCR previously discussed multi-factor authentication in its November 2016 Cybersecurity Newsletter, and said entities should review their healthcare authentication methods and ensure that they have the appropriate safeguards in place.
“The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement reasonable and appropriate authentication procedures to verify that a person or entity seeking access to electronic protected health information (ePHI) is the one claimed,” OCR stated in the 2016 newsletter.
A comprehensive and accurate risk analysis will also help identity any vulnerabilities in current authentication methods and practices.
Phishing attacks are evolving in their sophistication levels, but healthcare organizations can ensure that their prevention, detection, and mitigation measures also evolve to meet those threats.