There has been an increase in telephone scams targeting psychologists, health care systems and patients. But email phishing scams have also become more prevalent and could lead to Health Insurance Portability and Accountability Act (HIPAA) sanctions for your practice.
Phishing scams are usually attempted through email. These messages will look authentic and include instructions to open a document or click on a link that takes the recipient to a separate webpage. Clicking on the link or document may trigger the download of malware (malicious software and viruses) into the computer system. Some phishing attempts that target health care practices end up gaining the username and password of a practice staff member, and a hacker could use this information to access electronic protected health information (ePHI) from patients almost immediately.
While HIPAA does not specifically speak to phishing, phishing may pose a threat to the confidentiality and security of patient PHI. The HIPAA Security Rule requires that practices conduct a comprehensive risk analysis of potential threats to PHI. A risk analysis should identify risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be addressed as part of your practice’s security management process. You should highlight any potential risks from phishing as part of your HIPAA risk analysis.
Additionally, HIPAA requires that all staff be trained in security awareness such as how to protect themselves and the practice from malicious software, the proper use of security on mobile devices, and how best to securely manage passwords and logins. Staff should be taught how to identify potential phishing emails and the correct steps to take if they believe they have received (or opened a document/link) malicious software.
Health care providers who do not take steps to safeguard their practice could end up paying a large fine or settlement for failing to comply with privacy and security regulations. For example, Anthem recently paid the largest HIPAA settlement ($16 million) in history after reporting a breach of ePHI due in part to cyber-attacks conducted through phishing emails.
So, how do you spot a phishing scam?
- Look closely at all aspects of the email, not just the sender. Hackers may often utilize common companies or products and change the address slightly. For example, the sender may claim to be “APA” but the email address is APA@123456.com.
- Be aware of spelling and grammatical errors within the email or email address.
- Never open an attachment unless you are certain it is from a legitimate party. In 2015, the University of Washington paid a $750,000 fine as part of a HIPAA settlement following a phishing attack where an employee downloaded a malicious email attachment.
- Do not click on suspicious links within an email. This may be more difficult because the link could be disguised as a “continue” box (or something similar). If you hover over the box, you should be able to see the destination address. Again, check this hyperlink/address for spelling errors or see if it’s sending you to a different destination. For example, an email could claim to be from “Netflix” but the link would take you to an address that has nothing to do with Netflix.
What can you do to protect your practice?
The HIPAA Security Rule requires technical safeguards to be implemented to protect against threats to ePHI. Reasonable and appropriate security measures, such as encryption and two-step authentication, should be employed to protect ePHI. Given the increase in phishing scams as well as the fact that ePHI is often available through email accounts, Consider using spam-filtering software with anti-phishing components—such as SpamTitan, SolarWinds Assure or Mailwasher*—to protect your practice.
*APA does not recommend or endorse any of these products. Those who use these products do so at their own risk. Psychologists should conduct their own research of different products to determine the best fit for their practice.
