5 minute read
Regulatory Compliance: Don't Get Phished
CDA Practice Support
The HIPAA Security Rule requires a covered entity, such as a dental practice or clinic, to have a security awareness and training program for its workforce. 1 Phishing has been reported by the FBI as one of the top three most reported cybercrimes in 2021. Cybercrimes lead to losses of more than $6.9 billion nationally, the agency reported, with almost $13 million lost in California due to phishing. The agency’s annual “Internet Crime Report” also cites phishing as one of the top methods used to deploy ransomware: 2,3
Advertisement
“Although cyber criminals use a variety of techniques to infect victims with ransomware, phishing emails, Remote Desktop Protocol (RDP) exploitation and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents reported to the (Internet Crime Complaint Center) IC3.”
What Is Phishing?
Phishing is a type of social engineering tactic used to deliver malware to computer networks or to get a victim to provide log-in credentials or other sensitive information. It relies on human behavior; for example, many people are not attentive when they are in a hurry or are focused on something else. Email communication is often used for phishing. Phishing targets everyone with no regard to their job, industry or organization size, whereas “spear phishing” targets specific individuals or a group in an organization or industry, for example, senior vice presidents in a corporation. Phishing websites spoof legitimate websites. Victims often are directed to these sites through phishing emails but can also come across them by browsing the internet.
Phishing emails create a sense of urgency for victims to act by clicking on a link or providing information. A threat may be implied. The emails can be convincing by appearing to be from a legitimate organization, such as a bank, vendor or internet provider. If a link is clicked, the victim may unknowingly allow malware to download or provide information that can be used to access personal or business accounts.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) notes that “. . . most cyberattacks could be prevented or substantially mitigated if HIPAA-covered entities and business associates (“regulated entities”) implemented HIPAA Security Rule requirements to address the most common types of attacks, such as phishing emails, exploitation of known vulnerabilities and weak authentication protocols. If an attack is successful, the attacker often will encrypt a regulated entity’s ePHI to hold it for ransom or exfiltrate the data for future purposes including identify theft or blackmail.”
How To Prevent Getting Phished
A good first line of defense is to implement technology, such as a firewall and antivirus software, to filter out potentially harmful and malicious emails. Not all potentially harmful emails are caught by any one type of technology, so a multilayer security approach is best. Work with your IT adviser and your email service provider to determine the best solutions for your practice. You should consult with them periodically thereafter and keep these technologies up to date because cyberthreats, risks and technology continuously change.
Under the HIPAA Security Rule, a covered entity is required to provide its workforce with information security awareness training. Such training should not only review the security measures the dental practice has implemented, such as use of unique user IDs and regular system monitoring and auditing, but also inform the staff on how to do their part in ensuring patient information remains secure. Doing their part means staff need to know how to recognize phishing emails and websites. There are different methods for delivering this training. Free training resources are available from:
■ HHS Email Phishing Fact Sheet
■ HHS Email Phishing Threat Slides
■ NIST Phishing Guidance
■ The Federal Trade Commission
■ Cybersecurity & Infrastructure Security Agency, Avoiding Social Engineering and Phishing Attacks
■ YouTube for videos on “how to avoid phishing”
Enhanced phishing awareness training can include using a service that sends simulated phishing emails to employees. Employees should also be trained on what they need to do when they detect a phishing attempt. The dental practice’s security incident response plan must be documented, and training should be reinforced with periodic security reminders.
Simple tips to help prevent phishing include:
■ Don’t rush to click on a link.
■ Carefully review the email sender’s address to ensure its legitimacy.
■ Check for poor grammar, misspellings and other errors.
■ To verify a link, place the cursor over it until the web address appears.
■ If you remain uncertain about a web link or an email, contact the company or individual who may have sent the email or link. Use the phone number found on the company’s website and not the one included in the email.
■ Beware of suspicious attachments.
■ Stay informed about current cybersecurity threats. Bad actors try to take advantage of situations. For example, phishing attempts in health care skyrocketed during the COVID-19 pandemic. Regularly check the Cybersecurity & Infrastructure Security Agency website for recent cybersecurity alerts or ensure your IT advisor is regularly checking the website.
The OCR states, “Combining an engaged, educated workforce with technical solutions gives regulated entities the best opportunity to reduce or prevent phishing attacks.”
