Phishing has become an increasingly popular type of cyber attack used by hackers and other individuals with nefarious intent. While many businesses and organizations are susceptible to these attacks, healthcare providers have the highest risk due to the sensitive data they store. Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, healthcare providers are required to implement appropriate and meaningful safeguards to prevent unauthorized access of Protected Health Information (PHI), meaning the risks for phishing must be addressed.
What Is Phishing?
Let's first go over the basic definition of phishing, as some people are likely hearing about it now for the first time. The Unites States Federal Deposits Insurance Corporation provided the following definition for the term: “The term "phishing" - as in fishing for confidential information - refers to a scam that encompasses fraudulently obtaining and using an individual's personal or financial information.”
This term is somewhat broad, however, as phishing usually involves the attempt to acquire personal information by spoofing or imitating an official organization. One such example is an email sent out to credit card holders asking the user to log into their account and update their information. The email may look legit, but clicking the link could install malware and/or capture the user's account information. In essence, the hacker is “fishing” for sensitive information, which is where the term is derived.
Preventing Phishing Scams in Healthcare
Healthcare providers are have become a hot target among hackers as of late. You don't have to search very far to find stories of healthcare companies being hacked, such as the case involving Premera and Anthem. Many attacks can be avoided, however, by implementing the appropriate safeguards.
Covered entities should implement both administrative and technical safeguards to prevent phishing attacks. Administrative safeguards include training employees to distinguish between authentic and fake/phishing emails, verifying the intended recipient of PHI is who they say they are, and reporting phishing attempts to the authorities. Technical safeguards include the use of firewalls, virus scanners, and other software applications designed to prevent malicious attacks.
Phishing is a serious threat faced by all healthcare providers. As we become more and more connected to the Internet, attacks such as this will continue to rise. But following HIPPA's Rules and implementing the appropriate technical and administrative safeguards can reduce your practice's risk of being attacked.