Phishing attacks can be difficult to detect by nature. Attackers disguise themselves as a trusted entity, and send their victims links with malicious content, either through email, text, or instant message. When the receiver clicks the link, hackers are able to gain access to their system.
Organizations that are maintaining or transmitting protected health information (PHI) must have safeguards in place to protect their data from email phishing attacks. The Department of Health and Human Services (HHS) identifies ten practices organizations should implement to increase their cybersecurity:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
Recognizing a Phishing Email Can Be Instrumental to Protecting PHI
Cancer Treatment Centers of America (CTCA) is the victim of another email phishing attack. This latest breach on March 10, 2019, occurred when an employee of the Southeastern Regional Medical Center responded to what they thought was an internal email. The employee divulged their network login credentials to the hacker.
This allowed them to gain access to sensitive emails and email attachments that may have contained protected health information (PHI), affecting 16,819 individuals. CTCA hired a third-party computer forensic firm to investigate the incident. Through the investigation they discovered that no patient health records were accessed, nevertheless, there still may have been PHI in the exposed data.
The account in question held information such as health insurance information, medical record numbers, government ID numbers, names, addresses, (and some medical information). However, there was no financial information or Social Security numbers at risk. CTCA has made affected individuals aware of the breach, and advised patients to monitor their account statements and explanation of benefits statements for irregularities.
In a previous phishing attack on May 2, 2018, at their Western Regional Medical Center, another employee’s email account was accessed, putting 41,948 patients’ PHI at risk. The first attack was more widespread than the most recent, including access to patient names, addresses, dates of birth, email addresses, phone numbers, medical information, and some Social Security numbers. Although in both cases it was unclear if the hacker was able to access the data contained in the email accounts, the CTCA is taking every precaution to protect its patients, “We take our responsibility to safeguard personal information seriously and remain committed to protecting patient privacy and security. We have provided additional education to our workforce about how to identify suspicious emails to help ensure this does not happen in the future.”
In light of the recent attack, CTCA is increasing email security and conducting security awareness training so that in the future, employees will be able to prevent these types of hacks. Human error continues to be the main culprit behind breaches. Without the proper training, it is difficult for employees to recognize when their devices or accounts are compromised. In order to protect your organization from these types of attacks, employee security training must be mandatory.
Learn how an effective HIPAA compliance program can help protect your organization from phishing attacks!
