Who is Phishing for your PHI?

An email arrives in your inbox tomorrow from someone working at one of the large insurance companies.  It tells you that someone has attempted to make changes to your information on their systems.  It is very specific because it uses your name and says they feel certain it was due to an attempted hack on their company systems not from something you did.  Then, it also asks you to review the information in the document attached to the email.  They want to be sure none of your payments are going to be delayed.Puffer Fish

You open the attachment and it isn’t even your information, it is some doctors office name and address in another state.  Now what do you do?  Do you send some emails and make phone calls trying to figure out what is going on?  Or, maybe you forward the email on to someone in your office to check it out and see what they think.  Eventually you decide it was just someone screwed up at the insurance company and you aren’t going to worry about it.

At this point, you are completely under attack and you have no idea at all that the attack is going on.  The only hope you have is that your protections in place will keep them from stealing too much from you.  The minute you opened that attachment it loaded a program on your computer that allows the criminals into your computer.

Phishing became a very successful attack method by the beginning of 2004.  The techniques used have been circumvented by education and more sophisticated email filters.  Spear phishing is the current method used to get around those measures.  Spear phishing is hard to detect by the filters that protect you from standard previous phishing scams.  The weakest link in all network security is usually the human factor so these attacks are aimed directly at that weakest link – you and your people

In spear phishing attacks specific people and the data they access is the target.  The criminals don’t just blast out fake emails hoping some poor soul falls for it.  In these methods they use legitimate tools that marketing companies and advertisers use to get to know you.  Legitimate use of the tools allow a business to send you only ads that are relevant to you, your habits, your location or your job.  Consider that same information that allowed someone to send you an invitation to a seminar you never heard of before but matches exactly the topic you have been researching and studying can also be used for something to trick you into letting them into your systems, network and data.

Spear phishing is growing at an alarming rate.  It also requires the criminals to be committed to the research and specialization of information required to fool you into giving them what they want.  Add to that thought the recent headlines that healthcare leads all industries in breaches with a 138% increase 2013 over 2012.  Where do you think those criminals will be focusing on soon, if not already?

Do your HIPAA policies, procedures and training program worry about educating your users about recognizing phishing emails of all sorts?  The best protection is education and security awareness when it comes to these kinds of threats.  Training is key to making sure the protections you put in place have a chance to protect you.  Security awareness should be a regular discussion in your office.

One other note, there is an even more sophisticated method of phishing called whale phishing.  It targets people with titles like CEO, President, etc.  These attacks go after someone in charge.  Just a thought; who in your organization is listed on some public site, even your own, as being in charge?

HIPAA security isn’t just something you should see as a hindrance to your day-today work life.  It really does have you address things that any office connected to the Internet should be doing in today’s connected world.

Filed under: HIPAA Tagged: Security, Security Rule, Training