Touchstone Compliance

How Falling Prey to a Phishing Expedition Puts PHI at Risk

Phishing has become so commonplace, the word has made its way into the dictionary: Phish — to try to obtain financial or other confidential information from Internet users, typically by sending an e-mail that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one.

In today’s HIPAA Quick Tip, I’ll show you a little trick that could save you and your staff from taking the bait from someone phishing for information.

With regulations about data security getting stricter, hackers have stepped up their game. Their attacks have become subtler and more sophisticated. In the early days of phishing, a botnet would blast out a barrage of spam, trolling for credit card, bank account, or Social Security numbers. But as email security systems have made that kind of attack less effective, hackers have taken another approach.

Today they’re more likely to try to get into your system to steal your patients’ Protected Health Information (PHI) via a low-volume attack in which a small number of personal messages are sent to a small number of individuals. These messages typically contain links that, when you click them, install malware on your system, put your practice’s PHI at risk, and potentially undermine much of what you’ve done to become HIPAA compliant.

Phishing has become personal

What makes this new approach different is the way the hackers are able to personalize their messages. Often they’ll use information gleaned from social networks or other public sources. By using a friend’s email address or referencing things like a recent purchase, they try to trick people into thinking the email is for real. Too often, it’s worked.

As promised, here’s an easy step you can take in order to not be “phooled.”

Move your cursor over to the link in the email. Instead of clicking on it, let the cursor hover over the link. When you do that, the URL for the link will appear in a little rectangle next to it.

So, if the message is supposedly from, say, Amazon or Health and Human Services or even someone you know, but the URL tells you otherwise, you’ll know not to click. It’s a simple step you can take to feel confident in your decision not to go there. Granted, it’s a small thing, but it could help ensure that HIPAA compliance in your office doesn’t take a hit from someone on a phishing expedition.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.