The healthcare industry has conspicuously benefited from the rise of electronic health records and other digital platforms. And yet, despite the fact that new technologies make patients and physicians lives easier, the electronic storage of private health information on EHR software renders it vulnerable to security breaches and cyber attacks.
Phishing has become a big concern
As protective software becomes more effective and sophisticated, including EHR software, cyber criminals have had to develop new ways to target organizations. One of the latest techniques is a process called "phishing." According to Microsoft, phishing typically involves a targeted attack on a specific employee at a company: A cyber criminal will Internet sites to dig for information about a company and its leadership, before using a false email to pretend to be a trusted member of staff in a bid to secure a victim's trust. If an employee believes the email to be authentic, the criminal is then able to either install malicious software on the victim's computer, or request that the victim sends them highly confidential information. The technique has proven to be highly effective, sparking widespread concerns for the safety of protected information throughout the industry.
2 healthcare companies fall victim
Two U.S. healthcare companies have recently fallen victim to phishing scams, HIPAA Journal reported. Earlier in February, both Magnolia Health Corporation of California and St. Joseph's Healthcare System based in New Jersey witnessed incidents where an employee was tricked into sending out confidential information. In the case of the Magnolia Health Corporation breach, an employee received an email that was allegedly sent by the company CEO requesting a spreadsheet with full details pertaining to all current employees, including records of their Social Security numbers, salary payments, addresses and other personal information. The unwitting employee sent the spreadsheet over to the malicious third party as requested, compromising the data. Although there are few actual details about the attack, in the case of this breach, it is likely that the cyber criminal had created a fake email account on a faux domain that mirrored the targeted company's, a strategy which likely made it hard for the victim to tell the difference, HIPAA Journal noted.
The incident at St. Joseph's Healthcare System occurred just a few days later and was almost identical in nature to the attack on Magnolia Health Corporation. An employee received an email, purportedly from a trusted source, requesting earnings data of 5,000 employees from the 2015/2016 financial year. The employee sent the information over before soon realizing that the incident had in fact been a scam, HIPAA Journal detailed. Employees were subsequently notified and offered complimentary credit monitoring services for twelve months.
Tips for recognizing a phishing scam
Investigations at both healthcare organizations are ongoing, but industry leaders are becoming increasingly concerned. The ease with which both attacks were carried out speak to their sophistication in terms of the ability to trick victims, so it's important that all staff at healthcare organizations, big and small, are made aware of ways to spot potential scams. There are several different things to look for that could potentially indicate a scam:
- Links in the email are usually the first red flags, Microsoft argued. A way to check is to place the cursor over the address in the email, and a box containing the real address will pop up on the screen. If the real address is different to the one that is typed in the message, the email is likely a scam.
- According to Tech Republic, if an email is littered with typos, spelling mistakes and other grammatical errors, then chances are that it's a scam. This is because most reputable companies will have their emails copy-edited before dissemination.
- If a message contains threats or any other language that is unprofessional in nature, then it's almost definitely a scammer.
- If the email requests that you send along personal information, don't do it. This is another tell tale sign of a malicious hoax, Tech Republic asserted.
- Employees should trust their instincts: Most people will come to recognize what is usual or abnormal in terms of work requests or language used. If it seems strange for a CEO to request access to an ehr, for example, investigate it beforehand.
The attacks on St. Joseph's Healthcare System and Magnolia Health Corporate have occurred amid a push from the federal government to enforce the privacy rule of the 1996 Health Insurance Portability and Accountability Act. The department of Health and Human Services' Office of Civil Rights has pledged to ramp up the number of audits of healthcare companies across the nation this year, in an attempt to ensure that they are complying with the mandates of HIPAA's Privacy Rule by adopting the right EHR software, Medical Economics explained. The emphasis on the protection of patient health information is a corollary of the growing number of cyber attacks in recent years.