On June 6, 2019, Presbyterian Health Services, a health care system and health care provider in New Mexico, discovered a potential breach of protected health information (ePHI).
You might assume that a hacker breached their firewall or snuck into their network undetected. That was not the case. The breach occurred because well-intentioned employees fell victim to a phishing email.
Phishing Emails Have Evolved
We’ve all gotten them – you received an inheritance from a distant relative or a Nigerian Prince needs your help investing his money in the United States. The sender just needs your social security number and other personal information to transfer the funds. But phishing emails have gotten MUCH more sophisticated.
With just your name and company name, hackers can find your picture online, figure out where you went to school, and what non-profits you support. They use that information to carefully craft an email that looks almost identical to emails you commonly receive from a professional association, membership organization, vendor, or other legitimate organization.
These carefully engineered phishing emails typically result in either a ransomware attack, as described in the video, or seek to obtain information used for identity theft and fraud, as was the experience at Presbyterian Health Services.
Why do attackers put so much effort into crafting the perfect phishing email?
Medical records sell for up to $1,000 on the dark web, 10 times greater than the going rate of social security and credit card numbers. It is extremely lucrative for individuals to invest the time to study you and your company’s online presence and determine the types of email messages that could generate the desired response.
But isn't that why I have a firewall and email filtering service?
And yes – documented policies and procedures are a required part of HIPAA compliance, but are those policies and procedures adopted in day-to-day end-user practice? Has your organization adopted a culture of security?
If not, your network and protected information are not secure.
Security and compliance aren’t the results of the most up-to-date firewall or the latest update to your policies and procedures manual.
Yes – you must have those things in place.
But – real data security and HIPAA compliance occur through educated users who practice good habits and are good stewards of your network and data.
This happens in two key ways that have nothing to do with technology.
Take that policy and procedure manual off the shelf and into corporate culture. Security and compliance don’t happen in a vacuum. They are not a stand-alone conversation, but a component of every conversation. Your network and data are not protected until everyone not only understands the importance of security but incorporates it into their day-to-day habits.
The 70-20-10 model shows that 70% of learning and development happens on the job, 20% through one-to-one interactions, and 10% through formal training events. If you’re only talking about security and compliance during annual training events your employees are missing 90% of the development they need. When security and compliance are a part of your culture, employees not only get the information at training events, they talk about compliance when they’re working together, and they talk about it with their supervisor during regular check-ins.
There are a few things you can do right now to start making security and compliance part of your culture.
- Incorporate security habits into your next conversation with staff.
- Lead by example and practice good habits yourself.
- Ask how security is impacted by new processes, or ask your team to evaluate current processes for security.
- Incorporate outcomes of your next HIPAA training event into future meetings, and communication (i.e. don't let training start and stop with the event).