Just a few months ago, provider UnityPoint Health suffered a phishing-related data breach that compromised the protected data of up to 1.4 million patients.
The breach occurred between March 14th and April 3rd of 2018, when a high-level executive’s email account was compromised and spoofed by a fraudster. Several employees responded to the spoofed messages and offered up their email credentials, creating an open door for email interception. Forensic analysis of the breach showed that these newly-compromised email accounts contained substantial protected health information (PHI) within the email content and attachments.
While there’s no telling how extensive the damage is this early on, it’s safe to say that a breach of this magnitude (the biggest phishing breach on record since 2009!) will come with major HIPAA penalties for the clinic.
This represents a potentially explosive catastrophe for medical offices in a world of phishing, email interception, and data theft: Your patient data is there. It’s valuable. And it’s vulnerable.
The Cost of Data Breaches
Healthcare providers are primary targets for data theft, and medical clinics of all sizes are at risk.
Earlier this year, the Department of Health and Human Services upheld a finding that the University of Texas MD Anderson Cancer Center would need to pay $4,348,000 in HIPAA penalties due to several data breaches of its own—the fourth largest HIPAA violation on record since the policy became law in 1996.
This breach involved loss of physical devices containing PHI, none of which was adequately secured by HIPAA standards. And though it’s unclear if unsecured email content was contained on any of these devices, it’s a perfect example of why medical clinics need to build thorough and HIPAA-compliant security policies into their employee training, from the way devices are handled, to the way emails are sent, to the way data is stored.
The Dangers of Phishing
Of course, phishing is a dangerous type of attack that can subvert even great security protocols.
Phishing is the practice of using spoofed credentials, email addresses, or falsified accounts to reach out to users and trick them into giving up sensitive information. Phishing is a common attack strategy in email-based attacks. And naturally, healthcare offices are the most lucrative targets.
When fraudsters target an organization’s email channel, it’s known as a business email compromise (BEC) attack. The FBI reported that between mid-2013 and mid-2018, there were a total of 78,617 BEC incidents around the world, costing companies and users over $12 billion. And based on how fast this market is growing, we expect this number to increase even further over the coming years.
You don’t have to look far to see examples of these attacks in action. Back in 2015, the University of Washington Medicine was fined $750,000 after a phishing-related malware breach compromised the data of 90,000 patients. In this case, an employee simply opened an email containing a malware-ridden attachment, exposing the entire clinic to risk.
According to David Holtzman, vice president of compliance at security consulting firm CynergisTek, these email-related attacks should be wakeup calls to medical clinics with poor PHI security:
“It serves as notice of the role that social engineering [awareness] exercises and training workforce members on the threats posed by malware hidden in emails can play in preventing catastrophic infiltration of an enterprise information system.”
HIPAA-Compliant Email Practices
HIPAA requirements for email are designed with a single purpose: Protecting information from prying eyes in the event that the data is lost or mishandled. If your clinic fails to uphold this basic standard of security, you’ll be exposed to civil penalties, legal complications, and loss of the public trust—any one of which can be devastating to a small medical practice.
And while phishing isn’t specifically mentioned in HIPAA guidelines, there are foundational rules that govern how clinics should approach PHI storage over email:
- Restrict access to PHI;
- Monitor how PHI is communicated;
- Ensure the integrity of PHI at rest;
- Ensure message accountability;
- Protect PHI from unauthorized access during transit.
Of course, most clinics go beyond these measures and protect their email channels with additional security, such as spam filtering and encryption. But in truth, these email interception strategies are only the beginning.
Start With Your Employees
Companies that want to stay HIPAA-compliant in a world of phishing need to make employee training a priority: Issuing regular security reminders, updating and patching software, monitoring user logins, and creating effective password management strategies.
But the only way to truly stop phishing in its tracks is to teach every single employee in your organization how to spot these attacks when they occur and what steps to take when an email is intercepted. As we’ve seen over the past few years, any clinic can fall victim to these attacks. It’s up to the organization to make cybersecurity a priority and teach their teams to recognize, and prevent, any and all types of social engineering.