The threat from phishing attacks are growing faster than ever before. Healthcare organizations now need to implement the appropriate security measures in order to protect their patient’s information; otherwise you are susceptible to having a data breach– and being fined thousands of dollars.
Palmetto Health recently became a victim of a phishing scam after several emails were sent to their employees which contained a malicious hyperlink. When the link was clicked, employees were brought to a web-page where they were asked to enter their email credentials. Little did the employees know, they were disclosing their information to the attackers, which gave them access to the email accounts.
An investigation was conducted by a third-party forensics firm to determine the nature and extent of the breach and whether any patients’ protected health information (PHI) was exposed. The forensics firm concluded that the first of the email accounts were compromised in November 2018. After an extensive review process, it was determined that 23,811 patients had their PHI accessed from an unauthorized individual. PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, medical records, and Social Security numbers, to name a few examples.
The exposed information included names and information regarding treatment or consultation used by Palmetto Health. There was also a small percentage of emails that contained health insurance information, Social Security numbers, and financial information–all of which constitutes PHI.
While Palmetto Health believes the aim of the attack was only for gaining access to payroll information rather than PHI, this still does not excuse their lack of security safeguards.
The HIPAA Security Rule sets national safeguards for protecting the transmission and handling of ePHI. There are three main components that the rule must address: physical, administrative, and technical safeguards. In the incident with Palmetto Health, they did not implement the proper technical safeguards which resulted in a phishing attack.
Technical safeguards are used to protect the cyber-security of your business. Technical cyber-security safeguards must be implemented in order to keep your ePHI safe from hackers, theft or any unauthorized individual. Some examples of technical safeguards are firewalls, encryption, and data back-up.
Additionally, administrative safeguards entail proper employee training. HIPAA employee training must include effective cyber-security awareness training on a quarterly basis, which should educate members of the workforce about important trends and threats in the world of cyber-security. Because phishing emails are so common, they are also very easily avoidable if employees know what to look out for.
Compliancy Group Can Help
Compliancy Group gives health care organizations confidence in their HIPAA compliance with The Guard. The Guard is our HIPAA compliance web-app that covers every element of HIPAA compliance.
Our Compliance Coaches will guide users through every step of their compliance program with the help of our HIPAA compliance web-app. The Guard is built to address the full extent of HIPAA regulation, including everything needed to implement an effective HIPAA compliance program that will help safeguard your practice from cybersecurity attacks.
With The Guard, health care professionals will not only address their physical security safeguards, but the technical and administrative safeguards as well, along with the other HIPAA requirements. Find out more about how The Guard can simplify your HIPAA compliance today!