Enacting a protocol to prevent a common method of cyberattack.
By Stuart Oberman, Esq.
April 24, 2024
Phishing, in which a fraudulent e-mail is sent to an individual or organization to get that person or group to reveal private information, threatens all businesses, including healthcare practices.
Here is what you should know, and do, to mitigate this risk to your patient’s private information and to your practice.
What’s at Stake for Your Practice?
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled its first-ever investigation of an e-mail phishing attack.
HHS/OCR determined that Lafourche Medical Group (LMG) violated the Health Insurance Portability and Accountability Act Security Rule (HIPAA). As a result, LMG agreed to pay a fine in the amount of $480,000.
How Does Phishing Work?
Phishing is one of the most common initial access points for cyberattacks within the healthcare industry. Phishing involves the use of social engineering techniques to trick individuals into disclosing sensitive information.
On March 30, 2021, one of the owners of LMG received a phishing e-mail that appeared to have been sent by another LMG owner. In response, the owner inadvertently provided the attacker with access to LMG’s Microsoft 365 environment, which contained protected health information (PHI).
HHS/OCR launched an investigation to determine if LMG complied with the HIPAA Security Rule, which they had not.
What Did LMG Do Wrong?
Unfortunately, LMG did not conduct the required risk analysis before the breach occurred. In addition, LMG had no policies or procedures in place to regularly review the activity logs within its information systems to safeguard PHI against a cybersecurity attack.
Other Articles to Explore
LMG opted to settle with HHS/OCR and pay a fine in the amount of $480,000.00. In addition, LMG agreed to adopt a corrective action plan (CAP), which included the following requirements:
- Create, document and implement sufficient security measures to reduce the risks and vulnerabilities to ePHI that were identified in HHS/OCR’s December 2022 Security Risk Assessment, which has since been updated.
- Conduct an accurate and thorough annual HIPAA risk assessment to identify the potential risks and vulnerabilities to the patient confidentiality, integrity and availability of ePHI held by LMG, including any affiliates that are owned, controlled, or managed, by LMG, and document the security measures LMG implemented or is implementing to reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
- Develop written policies and procedures to address any threats and vulnerabilities to the ePHI that was specifically identified in its risk analysis and risk management plan.
- Develop written policies and procedures to address information system activity reviews.
- Provide HIPAA training to all employees within LMG’s workforce, who have access to PHI or electronic PHI (ePHI).
E-Mail Phishing Security Protocols to Enact in Your Practice
Optometry practices are required to conduct an annual, as well as an ongoing risk analysis of practice protocols to prevent a cyber security breach.
Below are e-mail phishing security protocols that should be reviewed and implemented as recommended by HHS/OCR to prevent a cyber security breach:
- Be suspicious of e-mails from unknown senders, as well as e-mails that request sensitive information, such as a Protected Health Information (PHI) or personal information.
- Train all employees to recognize suspicious e-mails.
- Never open e-mail attachments from unknown senders.
- Tag external e-mails to make them recognizable to employees.
- Implement incident response protocols if a successful phishing attack occurs.
- Implement advanced technologies for detecting and testing e-mails for malicious content or links.
- Implement multi-factor authentication.
- Implement proven and tested response procedures when employees click on phishing e-mails.
- Do not respond to e-mails that call for immediate action or stress a matter of urgency.
All optometry practices are required to conduct an annual HIPAA risk analysis, which will determine a practice’s vulnerability to a cyber attack.
It is expected that HHS/OCR will continue to take an aggressive stand regarding phishing e-mails and required risk analysis assessments, so it is critical to create or update protocols for guarding against phishing-based cyberattacks in your practice.
Stuart Oberman, Esq., is the founder and president of Oberman Law Firm in Cumming, Ga. To contact him: stuart@obermanlaw.com.