a laptop with a flag on the screen

HIPAA: Who’s Lurking in Your Inbox? Phishing Unmasked

Written By: Sarah Jo Daimler, CHCP (Senior Compliance Advisor) & Cameron McNerney, CHCP (Communication Manager) at Healthcare Compliance Pros.

Publish Date:
Friday, October 27th, 2023 | Estimated Read Time: 9 Minutes


Introduction: Unmasking Phishing as a Compliance Threat Phishing Unmasked: Top 10 Cybersecurity Threats Aligning with HIPAA Compliance

Introduction: Unmasking Phishing as a Compliance Threat

The HIPAA Challenge as Phishing Targets Healthcare

Healthcare organizations are uniquely vulnerable to cyber-attacks which can wreak havoc on digital infrastructure. There exist formidable adversaries who devote their time and resources to creating targeted attacks called "phishing," a broad form of tactical deception where victims are lured.

Phishing attacks often target healthcare organizations because of the valuable data stored called protected health information (PHI). When phishing succeeds, the result is often unauthorized access to PHI and each occurrence is a HIPAA violation that could be prevented.

Let's dive into the primary tactics employed by threat actors who methodically target healthcare organizations. Our compliance advisors want to help you understand and meet your organization's requirements to protect the confidentiality, integrity, and accessibility of sensitive patient data.

Too Many "Phish" in the Sea (HIPAA Breach Incidents)

Since the first infamously known phishing attempt, many deceptive methods have emerged. The "ILOVEYOU" viral malware attack was an early social engineering tactic that's estimated to have hurt over 10 million people. Unfortunately, over twenty years later (and multiplied by technology), there are way too many 'phish' in the sea to ignore.

HIPAA Breach Incidents: Want a sobering take on the possible consequences of phishing today? The healthcare industry has lots of cautionary tales in the OCR "Breach Portal" updated every day.

  • 🕒 Real-Time Data: View the real-time reports of nationwide breach incidents in the "Breach Portal" above (which is maintained by the primary HIPAA enforcement agency). Even still, the large numbers are hard to imagine.
  • 👀 See What HIPAA Regulators See: The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) uses that so-called "HIPAA Wall of Shame" to demonstrate just how many cases are currently under investigation.
  • 📈 Increasing Numbers of Affected Individuals: The total number of people (human beings) who are negatively impacted by "Hacking/IT Incidents" alone would offer sobering results. However, multiple breach categories are simultaneously tracked.

Deceitful phishing techniques cause HIPAA breaches by gaining unauthorized access to PHI. Phishing schemes can trick employees —you, me, and potentially anyone— into disclosing sensitive information or providing cybercriminals with access to sensitive healthcare systems.

Reeling in the Tears (CISA.gov Infographic)

The malicious threat actor reels in their catch-of-the-day when a victim replies with valuable information or opens a spoofed link or attachment. Often phishing emails can pass through network borders or endpoint safeguards.

[PDF INFOGRAPHIC] Discover "Phishing" Vulnerabilities: The Cybersecurity & Infrastructure Security Agency (CISA.gov) conducts regular tests and risk assessments. Here are the must-know results from their intensive review (published February 2023):

  • 👩‍💻 70% of all malware-infected links and file attachments were NOT blocked by network border protection services. In addition, 15% of all malware-infected links and file attachments were NOT blocked by endpoint protections (which ought to theoretically reduce the number of malicious or wanted activity).
  • 👩‍💻 84% of employees took the phishing bait within the first 10 minutes of receiving the deceptive email. Employees either replied with confidential information or interacted with a spoofed link or file attachment.
  • 👩‍💻 13% of targeted employees actually reported the phishing attempt (which is a disturbing finding but perhaps not surprising human behavior). An organization's response capabilities are inhibited by employees who fail to report phishing attempts, intrusions, or any alert to threats.

Now exposed, what will a threat actor do next? Sensitive information, credentials, or the ability to further compromise the organization. Probably more disguised attempts meant to target you.

Phishing Unmasked: Top 10 Cybersecurity Threats

"Sunlight is the Best Disinfectant" (HIPAA Compliance)

That motto guides us year-round. An effective compliance program is the best protection for your organization (it's plain enough, but not so simple). Behind the scenes, our team specializes in equipping you with the necessary knowledge. HIPAA Compliance is a continuous process of correction (and there's always hope).

To protect patient data and comply with strict rules, let's look closer at the relentless specter of digital healthcare: phishing.

One of our senior compliance advisors, Sarah Jo Daimler (CHCP) rose to the challenge to define examples of malicious threats and creatively humanize cybersecurity. Rather than boring you with abstract concepts, she combined healthcare compliance expertise in this Halloween-themed way:

Phishing Attempts Explained: Who Could Be Lurking in Your Inbox?

🎣📩 Seeking another unsuspecting victim?

In the dark corners of the internet, a sinister threat lurks—one that can haunt your online existence and steal your most valuable secrets. Enter our villains who use "phishing" tactics. In this creative journey to inform and educate you, we'll delve into the eerie world of cyber deception.

1. The Phantom Impersonators

The Phantom Impersonators

Phishers are masters of disguise, much like ghosts haunting an old mansion. They impersonate trusted entities like banks, social media giants, and government agencies. Their eerie impersonations mimic legitimate websites and email communications, luring unsuspecting prey into their trap.

2. Email Phishing - The Ghostly Messages

Email Phishing - The Ghostly Messages

Spear phishing and whaling are like ghostly apparitions targeting individuals and high-profile targets. With chilling precision on industry targets, attackers tailor their messages to prey on victims' interests and affiliations, leaving them vulnerable to the sinister plots of these cyber phantoms.

3. Smishing and Vishing - The Shadow Voices

Smishing and Vishing - The Shadow Voices

In the dead of night, phishers unleash smishing and vishing attacks. Text messages (smishing) and eerie phone calls (vishing) are their tools. With a haunting tone, they impersonate trusted sources, tricking victims into revealing their darkest secrets.

4. The Cursed Links and Malware

The Cursed Links and Malware

Hidden beneath seemingly innocent links are malicious websites that can infect your digital world with malware. Once infected, your device becomes a haunted vessel, carrying out the cyber ghost's bidding. This malware can steal your most intimate data, just as a ghost might steal your soul.

5. The Dark Arts of Social Engineering

The Dark Arts of Social Engineering

Phishers use psychological manipulation to control their victims, like puppeteers controlling marionettes. Urgency, curiosity, fear, and trust are the common tools of social engineering tactics. Victims are left feeling powerless, ensnared in a web of deceit spun by these digital apparitions.

6. The Specter of Spoofing

The Specter of Spoofing

With the mastery of illusion, phishers create the illusion of trust through email spoofing. The sender's address or domain is eerily similar to a trusted source, leading victims to open doors to the unknown, unwittingly inviting the spirits of deception into their digital world.

7. The Harvesting of Souls - Credentials and Data

The Harvesting of Souls - Credentials and Data

Like an unscrupulous sorcerer, phishers seek to harvest your digital soul—the login credentials. Once stolen, they can access your accounts, steal your personal data, and haunt your online presence.

8. Fending Off the Phantoms

Fending Off the Phantoms

To fend off these digital specters, one must be prepared. Cybersecurity experts employ advanced tools like email filtering systems and multi-factor authentication to ward off phishing threats. Vigilant monitoring for suspicious activity is the watchful eye that keeps these malevolent spirits at bay.

9. The Ghostly Aftermath - Incident Response

The Ghostly Aftermath - Incident Response

Sometimes, despite all defenses, the specter of phishing breaches your digital fortress. In such dire situations, a well-defined incident response plan is your lifeline—a guide to mitigating damage, containing the breach, and exorcising the digital ghosts from your system.

10. Facing the Phishing Nightmare

Facing the Phishing Nightmare

Phishing is a relentless nightmare that haunts the digital world. It preys on human psychology and constantly evolves its tactics. But with awareness, education, and a robust cybersecurity infrastructure, you can shine a light into the darkest corners of your digital domain, keeping the phishers at bay and unmasking the spookiness that lurks in your inbox. Stay vigilant, for in the digital realm, the ghosts of deception are always lurking, waiting to strike when you least expect it.

Aligning with HIPAA Compliance

"So, What? What does phishing have to do with following the law?"

Sensitive protected health information (PHI) is at stake. Full stop.

Healthcare organizations are bound by strict regulations, including the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the HIPAA Breach Notification Rule mandates that Covered Entities (CEs) and their Business Associates (BAs) must notify the following groups when a breach of PHI occurs:

  • Notify all the negatively impacted individuals (such as one-to-one notification or a mass PR campaign).
  • Notify the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), which is the primary HIPAA enforcement agency.
  • Notify the media, in large breach incidents, and in some cases even local or state enforcement agencies.

Phishing Attacks May Cause Avoidable Risks and Consequences

Here are a few of those elements that intertwine during HIPAA Breach Incidents:

  • Operational Disruption: Successful phishing attacks can affect healthcare operations in several ways. Ransomware attacks can lock systems and data. Disruptions might affect patient treatment, billing, and administration.
  • Reputational Consequences: HIPAA Covered Entities and Business Associates may suffer reputational damage if phishing attacks compromise PHI. Customers and employees affected by breaches may suffer.
  • Legal and Financial Implications: Phishing assaults have costly legal and financial consequences that can be avoided. Organizations caught might be fined during a breach investigation. All it takes is one complaint filed to the OCR to trigger an audit. Let me say that again, an audit begins with only one person who files a formal complaint from inside or outside the organization.

Healthcare compliance and the dangers of phishing are linked. Successful phishing attacks can lead to data breaches of protected health information (PHI), which in turn lead to investigations under HIPAA Rules. These attacks impede healthcare groups from doing their jobs, cause unnecessary costs, and trigger eventual legal scrutiny if left uncorrected. So, protecting against phishing is a part of understanding and meeting regulations.

"But isn't cybersecurity someone else's job?"

That's exactly why we can't have nice things. For health workers tasked with co-safeguarding patient data and co-maintaining the utmost compliance with regulations like HIPAA, the specter of phishing casts a long and chilling shadow.

Our compliance advisors recognize your unique challenges, ranging from protecting cybersecurity to ensuring the integrity of your healthcare organization's daily operations.

Final Thoughts HCP Recommendations

In summary, phishing wreaks havoc within the digital infrastructure of healthcare. Patient data, compliance, and the integrity of healthcare organizations are all at risk. In this article, you gained an awareness of healthcare-focused phishing attacks, exploring the tactics employed by cyber adversaries who seek to breach the trust and security of healthcare organizations. From the impersonation of trusted healthcare entities to the manipulation of health workers through psychological tactics, we hope to shed light on the devious strategies you may encounter sooner rather than later.

Here are the top action items you should gleam as HIPAA Covered Entities and Business Associates:

Regular Workforce Training on Cybersecurity

Consistent workforce training ensures your team stays one step ahead. Empower your first line of defense against cyberattacks (which is you, your employees, and your teammates).

Don't Take the Bait and Slow Down

Social engineers rely on individuals NOT taking a moment to pause and scrutinize. Slow down to go faster. It could be the difference between business continuity and a costly breach.

Security Risk Assessment (SRA): HIPAA Requirement

HIPAA mandates covered entities to conduct an annual security risk assessment (SRA) not just as a checkbox task, but as a crucial aspect in safeguarding protected health information (PHI).

Access Compliance Resources

Login to the HCP Portal to access your compliance resources (only available for HCP Clients).

Our company's objective is clear: To equip you, healthcare professionals like you - from practice administrators and office managers to compliance officers, CEOs, and owners - with the practical insights and tailored compliance strategies necessary to protect your healthcare organization.

Overall, HCP strongly recommends regularly reviewing and assessing potential vulnerabilities to ensure compliance. Protect the trust of your customers.