The number of successful phishing attacks on healthcare organizations has increased in the past few weeks. In just four weeks, the Department of Health and Human Services’ Office for Civil Rights received 10 major email hacking incident reports with a total of about 90,000 health records exposed. Each of the incidents had exposed the PHI of more than 500 people leaving it to potential theft.
Here’s the list of recent breach incidents on healthcare organizations:
|HIPAA-Covered Entity||Records Exposed|
|Knoxville Heart Group||15,995|
|USACS Management Group Ltd||15,552|
|Texas Health Physicians Group||3,808|
|Scenic Bluffs Health Center||2,889|
|ATI Holdings LLC||1,776|
|Worldwide Insurance Services||1,692|
|Diagnostic Radiology & Imaging, LLC||800|
|The Oregon Clinic||Undisclosed|
This year, three data breaches caused by hacking of email accounts resulting to the exposure of over 30,000 health records each have already been reported. The organizations affected were:
- Agency for Health Care Administration – 30,000-record breach in January
- ATI Holdings, LLC – 35,136-record breach in March
- Onco360/CareMed Specialty Pharmacy – 53,173-record breach
According to Wombat Security’s 2018 State of the Phish Report, ¾ of organizations had been hit with phishing attacks in 2017 and 53% of which were targeted attacks. The Verizon 2017 Data Breach Investigations Report published in May said that 43% of data breaches were due to phishing. Another study conducted by HIMSS Analytics together with Mimecast showed that 78% of U.S healthcare providers had been attacked successfully via email hacking.
In view of the above statistics, how can healthcare organizations improve their phishing defenses? Phishing attacks target the employees in an organization. Hence, the best way to defend against phishing attacks is to train employees to recognize phishing attempts and have a better sense of security. The HIPAA actually requires the security awareness training of the workforce. It should be ongoing and evolving to address new cybersecurity threats.
Although there’s no frequency of security awareness training specified by the HIPAA, a healthcare organization should consider an ongoing security training program. A bi-annual training with monthly security updates is recommended. More frequent training may be adopted depending on the organization’s level of security risk. Different training techniques may be used including classroom sessions, team discussions, CBT training, email alerts, newsletters and posters.
The healthcare organization should also consider signing up with threat intelligence services to stay up-to-date with new threats and scams. It will provide knowledge of new techniques to address malicious software or phishing scams that your organization can implement or just be aware of.
The organization should also implement technological safeguards to minimize security risks such as:
- Anti-virus and anti-malware solutions to detect malicious software and suspicious network activities
- Spam filters to limit the malicious emails delivered to inboxes and quarantine emails with harmful attachments
- URL/Link checkers to analyze unknown URLS before allowing access to the linked webpage
Phishing attacks will most likely continue to be around because of the immense success hackers had in accessing network and PHI. So, healthcare organizations need to do its job to make email hacking and phishing difficult for attackers.