Home Health & Hospice Week

Warning: Phishing is a very real threat.

With the 2018 HH PPS final rule just out, the draft interpretive guidelines for the new Conditions of Participation set to hit in January, Targeted Probe & Educate medical review ongoing, and a myriad of other obligations on your plate, you may find HIPAAhard to prioritize. But if you're like the following health care companies, that attitude will cost you.

In September, emails from a myriad of healthcare organizations were the cause of 13 HIPAA breaches, according to the HHS Office for Civil Rights Breach Portal. Of the aforementioned violations, six were hijacked by hackers, and the remaining seven were due to unauthorized access or disclosure. As many as 206,994 individuals had their ePHI compromised via email-related incidents in that month alone, with the majority - 155,682 of the total - attributed to hacking incidents.

It Only Takes One Email

Three violations stood out in terms of individuals impacted amongst the group of 13. All involved phishing schemes through email infiltration. They included the following large-scale HIPAA breaches:

• Morehead Memorial Hospital: The Eden, North Carolina hospital reported the exposure of 66,000 individuals' ePHI on Sept. 15 due to a phishing expedition gone awry. "An unauthorized party sent fraudulent communications to Morehead, enabling them to obtain login information that allowed access to two email accounts within the hospital," noted a Morehead Memorial release on the data incident.

Unfortunately, the hacked accounts contained sensitive information from both patients and employees that ranged from "health insurance payment summaries, treatment overviews, health plan

information, and in limited cases, Social Security numbers." Precautions are in place now that include a "network-wide password reset," and federal law enforcement are pursuing the cyber criminals, the news brief suggested.

• Network Health: Despite "technical safeguards" in place to combat against outside invaders, two emails were the means of access for a phishing scheme that exposed 51,232 individuals. Though there was no evidence that delicate information was lost, the health insurer "took prompt action to secure the affected email accounts, to contain the impact and prevent further threats from the intruder," reported Network Health in a release.

The Menasha, Wisconsin organization added, "A forensic security expert was engaged to assess the attack and evaluate whether other areas of Network Health's network were compromised."

• ABB Inc.: The Cary, North Carolina company ABB Inc. updated its breach on Sept. 11. The incident impacted the ePHI of 28,012 people and was "the result of a hacker sending a phishing scheme email to ABB employees on or around August 25, 2017," noted the ABB notice letter, which was part of a New Hampshire Department of Justice release on the event. Of the three cases, the social engineers potentially uncovered the "name, address, Social Security number and medical record(s) used in ABB Employee Benefits [and the Family and Medical Leave Act] FMLA," mentioned the notification.

The incident report indicated that direct deposit information for some hourly employee may have been exposed as well as the ePHI of spouses and children of employees. Due to the financial data attacked by the phishing scheme, ABB offered those impacted "identity monitoring" as well, the notice said.

Resource: Review the statistics of these cases and the 10 others on the HHS-OCR Breach Portal online at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

Train Your Staff on Email

Email has been around for a long time, so it's easy to assume that your staff understands the nuances of spam, junk, or malicious threats that corrupt the agency network. But the rise in email attacks highlights that not all healthcare workers fully understand the implications.

"Although there has been a lot of recent publicity about external threats to the information systems of healthcare providers, covered entities need to also consider and proactively address threats from within their organization," such as their employees and contractors, suggest attorneys Elizabeth Hodge and Carolyn Metnick with Akerman.

Tip: Focus on possible threats from employees and business associates (BAs) in your enterprise- wide risk assessments, and not specifically for nefarious reasons or because you think your staff might steal your patients' information. Many highlevel employees including managers, clinical staff, and administrators are often the most at-risk for attack in a phishing practice known as "whaling." Social engineers oftentimes use another tactic called "spear phishing" too, which targets vulnerable or novice staff who unwittingly click and unleash chaos.

That's why you might want to "identify security threats by conducting a security risk assessment or a more thorough test of system-wide vulnerabilities," Hodge and Metnick say. If you do experience a breach, having written verification that you completed an assessment and implemented your findings with compliance protocols will go a long way in reducing the feds' wrath.

"Training on data security for workforce members is not only essential for protecting an organization against cyber attacks," reminds OCR in its July 2017 Cybersecurity Newsletter. "It is also required by the HIPAA Security Rule."

Follow 4 Expert Tips To Prevent This Type of Breach

This type of massive, sophisticated data breach may seem impossible to prevent - but you can actually avoid it by taking a few simple steps. In a health law blog post from Ogden, Murphy, Wallace Attorneys in Seattle, attorney Casey Moriarty offers the following tips:

1. Safeguard and Educate. This is yet another reminder to safeguard your electronic systems and educate your staff members on security policies and procedures.

2. Watch Staff Emails. A staff member who clicks on a link in an email or responds to an email from hackers who pose as security personnel could result in unknowingly installing the malware.

3. Use Encryption. Consider employing encryption technology that meets the HIPAA breach safe-harbor standards to avoid or mitigate this type of breach.

4. Check with IT. When staff members are in doubt about a suspicious email, phone call or other communication, instruct them to always check with your IT personnel and your HIPAA privacy officer before taking any action.

Remember, Privacy Still Matters

"Also consider your workforce's privacy knowledge," Hodge and Metnick add. "Many employees do not know how to identify socially engineered emails or other security threats. Employees should be trained on identifying socially engineered emails."

And that's why technical training is essential to keeping breaches to a minimum. Most costly violations are caused by staff accidentally due to a lack of education on the HIPAA Security Rule, not the HIPAAPrivacy Rule. "Fix your people. They are prone to human error," recommends compliance expert Brand Barney, a security analyst with Security Metrics in Orem, Utah.

Note: For a look at the OCR's Cyber-security Newsletter on phishing, visit www.hhs.gov/sites/default/files/july-2017-ocr-cyber-newsletter.pdf?language=es.