Digital technology continues to make our lines of communication more abundant and easily accessible throughout our everyday and working lives. It also makes us more easily susceptible to fraud and enables cyber criminals with more alternatives to conduct illicit activities.
Phishing, a type of cybercrime that utilizes email, telephone, and text messaging to identify and contact unsuspecting recipients and to lure them into sharing private, sensitive information continues a pervasive pattern that threatens to cost all those impacted as much as $2 trillion in 2019.1
According to Roger Shindell, CHPS, CISA, CIPM, the proliferation of phishing scams is made possible through the ability of scammers to appear to be legitimate representatives of banks, credit card companies, and other entities in their attempts to acquire information such as account numbers, passwords, and other types of identifiers that can result in direct financial loss and/or data theft. As it relates to healthcare, phishing tends to involve the acquisition of protected healthcare information (PHI), which is generally defined as any information about health status, provision of healthcare, or payment for healthcare that is created or collected by a covered entity (i.e., health plans, healthcare clearinghouses, and healthcare providers). According to a recent report, the term “payment notification” is the most common healthcare-related phishing attack subject line used in fraudulent email messages, appearing in 58 percent of such campaigns in 2018.2
“There are actually two types of fishing attacks: The first we just call basic phishing and the second is ‘spearphishing,’ which occurs when someone’s email address has been taken over as part of the attack so that it appears that the email is coming from someone that the recipient actually knows,” said Shindell, founder, president, and chief executive officer with Carosh Compliance Solutions, an organization that specializes in providing HIPAA privacy and security consulting services. ADVANCE recently spoke with Shindell about how healthcare providers can better protect their patients’ PHI by becoming more knowledgeable and compliant as it relates to phishing protection.
What might phishing emails look like? “There are some common features to different types of phishing emails. One is an offer that’s ‘too good to be true.’ A lucrative opportunity like a free stay at a resort that has a sense of urgency to respond. The email could contain a hyperlink that goes to a malicious site or a download option that can result in malware being introduced to your system. Or you may see attachments that are actually part of the phishing attack that, when opened, the malware may be downloaded onto your system.”
For those who attempt phishing, what are there goals and how might patients be targets? “The ultimate goal is to collect sensitive information to be used for malicious purposes, such as identity theft. Patients would potentially be targets as a way to collect insurance card numbers. Typically, they would be targeted through the provider’s system, including the email system, being compromised and allowing cyber criminals to use email addresses and acting as the provider. Phishing attacks are enormously successful because, unless someone is trained to recognize links or attachments that are sent within a nefarious email, the provider’s email system can easily be compromised. Another way that providers might be used to gain access to a patient is when someone creates a website that looks exactly like the provider’s site and uses the same URL, except for a slight difference. For instance, the fake site might have a ‘.net’ URL when the real site uses a ‘.com’. The fake site could then redirect users to a site that can make someone susceptible to an attack.”
What is the difference between phishing and ransomware? “Phishing is an attack that is meant to place some kind of nefarious software on your computer. Ransomware is a type of malicious software that threatens to harm data or block access to it unless a ransom is paid. Ransomware is a specific kind of malware, software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system, that may be delivered in a phishing attack. Once a system is infected with malware, the median length of time it takes to recognize your system being compromised is 180 days, which means it can sit on your system for a significant period of time doing malicious things. A successful ransomware attack has been defined by the United States Department of Homeland Security and the U.S. Department of Health and Human Services as being a breach under the HIPAA regulations. For example, a ransomware perpetrator could launch the ransomware, lock up your system, and be behind the scenes transferring data from your system to their system. It is very difficult to catch perpetrators of ransomware because the advent of cryptocurrency, like Bitcoin, creates untraceable transactions.”
How does HIPAA potentially attempt to guard against phishing? “HIPAA requires safeguards to be put in place for reasonably anticipated vulnerabilities to data, which would certainly include phishing attacks. The best way to address phishing is training people to recognize what a phishing email looks like. When a suspicious email is found, the organization’s chief security officer should be contacted and the email should be segregated until it can be determined that it’s actually appropriate. Never open attachments from people you don’t know. Antivirus software should be set to scan any incoming emails for malicious software. There are a variety of technical securities that evaluate phishing emails to determine if they are are legitimate, but these can be somewhat pricey. You really want to go back to the idea of training staff to protect against phishing attacks.”
If a healthcare facility/provider believes they are a victim of phishing, what’s next? “The first thing you want to do is isolate the suspected parts of your system that may have been infected so that the infection can’t continue and expand. You should also have adequate backups of information and files created to more easily restore any compromised data. Perform a professional cleanup of your system to remove all traces and remnants of the phishing attack. And I can’t stress strongly enough that the best way to address a phishing attack is to train your staff and be sure that anti-malware systems are up to date.”
How can facilities/providers best attempt to safeguard against phishing? “No. 1, keep informed about new phishing techniques that are developed. Ask your IT administrators for ongoing security awareness training that includes simulated phishing attacks for all users. Think before you open any emails or links in emails that you receive. Make sure you understand what kind of link you are clicking and make sure all websites that you visit are legitimate. One way to do this is by copying and pasting web links shared in emails into your browser to see where it takes you. Before sending any information via email make certain that the sender is legitimate. If you do not recognize the sending party, try to make a connection with a phone number. Install anti-phishing toolbars on your browser and pay attention to any alerts that these programs may communicate. Verify website security by ensuring that all URLs begin with “http” and be aware of the closed-lock icon that should appear near the web address bar. Check your online accounts regularly and change passwords regularly. Keep your web browser up to date and use firewalls (desktop firewall and network firewall) to act as a buffer between you, your computer, and outside intruders. Be wary of popup ads. Many popular browsers allow blocking of popups. Never share personal information over the internet, as a general rule, and never send an email with sensitive information unless you are absolutely sure that you know the recipient/organization of the email. Use antivirus software and set the software to actively scan any files that are downloaded or emails received through your system. However, there is no foolproof way to avoid phishing attacks.”
How can employing a HIPAA privacy and security consultant help to keep provider and patient data safe while helping providers and facilities remain compliant? “The use of a privacy and security consultant is going to give you access to resources that will keep you up to date on trends. Employing a qualified professional consultant can help to validate adequate safeguards from a compliance and operational perspective.”
1. Sweeney G. New year, new scams: what to watch out for in 2019. Softonic. 2018. Accessed online: https://en.softonic.com/articles/online-scams-in-2019?ex=BB-765.2
2. ‘Payment notification’ is top healthcare phishing attack subject. Health IT Security. 2018. Accessed online: https://healthitsecurity.com/news/payment-notification-is-top-healthcare-phishing-attack-subject