Phishing is the name of a method which entices you to give up your personal or financial information to people or organizations masquerading as a legitimate source. The bait is the request from a source you are familiar with, but is in fact, a replication or a phony. Phishing attacks may occur to your personal account, or they may involve your medical organization. In any event, knowing how to recognize them and not take the bait is the key to preventing a successful phishing attack.
Phishing attacks try to obtain valuable information from you such as your:
- Credit card number
- Bank account number
- Social security number
- Online account logins and passwords
The pilfered information is used to steal your money or in the case of your organization, carry out identity theft or introduce malware into your information systems.
Phishing attacks are carried out primarily in two main ways. First, attackers use phishing emails which look very similar to what you normally see in your daily e-mails. Second, attackers use links to websites that look similar to other organizations, companies, and/or banks that you visit frequently. Phishing e-mails and websites have the following characteristics:
- They all ask for you to provide personal information. Most legitimate organizations, and including all banks, will not ask you to provide personal information whether it be your credit card number or your login password.
- There is usually a sense of urgency. The phishing emails request immediate action and they use this technique to get you to bite quickly. This is the same technique you see on TV ads for a product whereby your quick response for “acting right now”, will get you a discount or a second item at half price. Or the e-mail will be emotional and pull at your “heart strings” in order to entice you to act.
- Most phishing emails have a generic “hello” for the greeting. The e-mail does not use your name since it is the same phishing e-mail sent to millions.
- The e-mails may contain attachments which are most likely malware and the moment you click on it, you invite malware (malicious code) into your system which will begin to destroy or copy your hard drive and its contents.
- The e-mails may also contain a phony link to a phony website. The link is masked so what you see looks correct, but the actual hyperlink is set up to go to the phony site. Hover your mouse over the link to see what is truly behind it.
- Many times, the e-mails contain poor grammar. Remember, hackers come at all levels with some that are very good at what they do, and others with poor writing skills.
- Legitimate websites use Secure Sockets Layer (SSL) for protecting the information you enter into the site; look for https:// instead of http:// in the URL. The added “s” means the site is secured.
Phishing attacks have increased over the years as hackers have gotten smarter and more clever. However, there are preventive steps you or your staff can take to survive the attacks with little to no damage. Consider the following:
- Your IT department should consider installing robust spam filters which can identify these e-mails and send them to the spam folder instead.
- If the e-mail looks suspicious, don’t trust it. Instead, pick up the phone and call the organization to determine if they sent the e-mail in question.
- If the link looks suspicious, don’t click on it. Instead, manually type the organizations real URL into your browser and provide the information after you have confirmed it was the organization that contacted you.
- Your IT department should consider adopting a URL scanner which will check the authenticity of any website you visit.
- If your organization uses Internet Explorer, ask your IT department to turn on the SmartScreen filter which will help you discover if a website is a phishing site.
- Unlike your browser at home, your organization determines what browser you will use at work, and it is most likely a newer browser which is supported with patches by the manufacturer. Nonetheless, your IT department could consider installing a security toolbar to alert you when visiting known phishing sites.
While the above technical steps will help minimize the effects of a phishing attack or help avoid them altogether, the ultimate defense lies with the user or employees themselves. It is the human factor that contributes to the large cases of successful phishing attacks since employees are ultimately tricked to open the link and/or respond to the e-mail. However, the more your workforce is educated regarding phishing, the more likely they will recognize an attack when it occurs. Some organizations have conducted “phishing simulations” to determine how many individuals will fall prey to the fake phishing attack. Afterwards, those individuals are provided additional training. This can be a great way to provide training and practice recognizing phishing attacks, but organizations need to make sure no punitive action is taken. Instead, consider an organization wide contest such that the department with the lowest number of tricked employees wins some prize or recognition.
Phishing attacks will continue and become more elaborate. The best defense is to employ technical safeguards to help detect them as well as to train your staff how to recognize them and not take the bait.
Happy HIPAA trekking!
When thinking about your information system asset inventory, it is easy to focus solely on the compliance elements. When doing so, many smaller healthcare organizations will opt not to keep an inventory, as it is not explicitly required in HIPAA. Although not specifically required in the HIPAA Security Rule, there are indicators in the Security Rule that an accurate and up-to-date information systems asset inventory will support several of the requirements within the Rule such as Risk Analysis, Risk Management, Information Systems Activity Review, Device and Media Management, and Audit Controls.
An information system asset inventory is more than just tracking your hardware. According to the HIPAA Security Rule Crosswalk to NIST, managing assets enables “the organization to achieve business purposes that are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.”
There are many benefits of creating and maintaining an accurate and up-to-date inventory. The three broad categories of benefit are: Risk Management, Business Operations, and Financial.
You can’t protect what you don’t know you have. Arguably one of the most important requirements of the HIPAA Security Rule is the Risk Analysis. Organizations that have to comply with HIPAA, are required to identify reasonable threats and vulnerabilities to their electronic PHI. Having an information system asset inventory will give the organization a starting place for this process.
Conducting audits and reviewing your system activity is also drastically simplified when there is an inventory in place. The inventory serves as a checklist to ensure you have reviewed/audited all the systems in your organization where PHI is stored, accessed, transmitted, or created.
Healthcare entities are notoriously short staffed and as such are constantly looking for ways to improve their productivity with their existing workforce. The irony is that the healthcare industry as a whole as a reliance on older and legacy systems which are costly from a productivity standpoint (which translate into lost dollars). Having an information system asset inventory helps to identify technology gaps. Since we know that older systems that are not supported by the manufacturer are a major risk factor, having an inventory that reflects the age of a system can identify when that system should be replaced. This not only will help improve productivity, but will also reduce the risk of a technical breach to your organization.
Reducing risk and improving productivity will have a direct and positive impact on your organization. Understanding the percentage of your budget spent on technology is also important. The healthcare industry has historically not invested heavily on their IT infrastructure and supporting systems. The majority of the healthcare IT budget is spent on softwares such as EMR and telehealth. This can cause an increased cost to productivity, operations, and compliance as not enough attention is being spent on the infrastructure itself. As detailed in Business Operations, an information systems asset inventory can give a broad picture to help identify these gaps in order to allot appropriately in your organization’s budget.
More than just managing risk and operations, having a detailed list of your organizations information systems (particularly hardware) can have an added tax benefit as these systems can be depreciated over time. Unlike other assets in your organization, technology becomes less valuable over time.
Creating and managing an information system asset inventory is good for your business and ultimately for your patients. Start simple, create a spreadsheet to list all your hardware and software systems. Remember to include personal devices that are used within your network (so-called Bring Your Own Device). Consider including the cost and age of the information systems as well. As you continue this process, or if you are a larger healthcare entity, you may want to use a software system that can help you track these systems.
A healthy organization is one that manages its risks and creates a culture of security. Having an information system asset inventory list is an important step in the health of your organization!
If you have any questions, please don’t hesitate to reach out! Happy HIPAA trekking!