Phishing for PHI
Cyber threats continue to grow and evolve, but most share a similar origin: phishing. Phishing emails, seemingly innocuous or legitimate emails used to infiltrate an organization, are a common source of malware and are used for scams in which a criminal impersonates another individual to obtain sensitive information. A study released in March by PhishMe estimated that up to 93% of phishing emails contain ransomware.
Although the damage phishing emails can do is tremendous, security officers can help their organizations turn the tide by using a combination of technical controls and targeted education.
Gone phishing
The danger and the success of phishing emails lies in their ability to manipulate the individual on the receiving end. Phishing emails may be sent from domains that are a near-identical match for an organization’s and come with what appear to be legitimate and urgent attachments or links. It’s a simple scheme that criminals can use for a variety of purposes.
"They hope to get malware installed so they can control the computers they infect or even the entire network. They hope to get network or application login credentials. They hope to trick people into performing certain actions, i.e., a wire transfer of money," Kevin Beaver, CISSP, independent information security consultant at Principle Logic, LLC, in Atlanta, says. "The possibilities are endless."
The dangers are, too. PHI, financial, and business information are all at risk when a staff member falls for a phishing email. "Some of the most elaborate hacking incidents and large-scale data breaches have started with a single phishing email," Beaver says.
The cost and frequency of data breaches have remained high for several years. Data breaches cost the healthcare industry $ 6.2 million, according to Ponemon and ID Experts’ Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data. The study also found that, despite the high cost of breaches, many organizations say they lack the budget to invest in managing data breaches.
"I think organizations are trying to do the best they can, but they’re under a barrage from all fronts," Rick Kam, CPP/US, president and CEO of ID Experts, says. "They’re under regulatory scrutiny. The ACA is changing its business tremendously. At the same time, criminals are realizing they’re a soft target. While there’s the recognition that organizations need to do more, I think the bad guys are winning at this point because they have more resources and they’re more creative."
Beaver agrees that organizations must catch up or find themselves paying the price of a data breach. "I don’t think most organizations fully understand what they’re up against," he says. "IT and security staff members might, but they are having a problem communicating that to the stakeholders or getting and keeping the necessary management buy-in."
A big catch
Early phishing emails were relatively unsophisticated scams, Kam says. They often claimed to be sent by a representative of a foreign bank that wished to transfer money the unsuspecting recipient had inherited or won.
Today’s phishing emails are often much more sophisticated. Spear phishing specifically targets highly placed individuals in organizations with the credentials to access and request large amounts of sensitive information. Hackers engage in social profiling, researching a target’s organization, job description, and level of access to sensitive information. Recent breaches of social media sites, such as the LinkedIn breach, may have exposed detailed information about users. But even a quick scan of a social media profile can reveal a high level of detail about an individual’s job and typical style of communication.
Then, either by hacking into the target’s email account or creating an email address at a domain that’s a near match for the organization’s, the attack is launched.
In a recent series of phishing scams, hackers impersonated individual chief executive officers (CEO) and chief financial offers and sent emails to accounting staff requesting W-2 information for all employees, Kam says. Unfortunately, a number of recipients fell for the scam. In this case, the W-2 information was likely used to commit tax fraud whereas phishing emails requesting PHI are often part of medical identity scams, Kam says. (For more information about medical identity theft, see Medical identity theft: Part 1 and Medical identity theft: Part 2 in the July and August 2016 issues of BOH.)
Defense tools
Phishing and other cyberattacks will likely increase and healthcare organizations are a prime target, Beaver says. "With all of the complexities of any given network environment combined with the lack of resources and general overwhelmed nature of many IT and security teams, I can’t imagine that it won’t."
However, the rise of phishing and cyberattacks might have a silver lining, Kam says. "The more cyberattacks an organization sees, the more likely it is that the executive team will approve technologies and educational things to protect their organization."
There are a number of technical controls organizations can put in place to stop phishing emails before they land in a staff member’s inbox, Kam says. Behavior analytics tools can help detect phishing by analyzing a user’s typical behavior, such as when they sign in and out and what systems they access. If a user generally signs in at 8 a.m. from their office and signs out between 4:30?5 p. m., the tool will look for deviations from that routine. If the same user suddenly begins signing in at 2 a.m. from a remote location, it will stop the transaction. However, behavior analytics tools are still not universal, he says.
Browser tools can protect users even when they’re out of the office, Kam says. A staff member may need to sign into his or her email using a browser while working remotely, but accessing email via a browser is typically not secure. An organization’s IT department can install a browser extension on staff members’ laptops and smartphones that will analyze websites and warn the user if the site he or she is attempting to access is suspicious.
Technical defenses can’t take a backseat, Beaver warns. Without the right tools, staff will be left vulnerable.
"It’s incumbent on IT and security teams to set their users up for success with proper technical controls that will detect and stop such behaviors," he says. "These controls, such as strong endpoint security, proper malware protection, and network-based activity monitoring and blocking, are often absent or poorly implemented at best."
But even with the best technical safeguards, some phishing emails will still slip through.
"Many companies have been investing in tools and security systems so they have the ability to defend from hackers, from a technical aspect," Kam says. "But unfortunately people will still always be the weak link."
Getting smart
Protecting PHI from phishing, and other vulnerabilities, requires a three-pronged approached, says Meredith Phillips, CHC, CHPC, HCISPP, ITIL, chief information privacy and security officer at Henry Ford Health System (HFHS) in Detroit. To protect PHI, organizations must invest in technology, develop processes, and train staff. Some organizations may invest heavily in technology but they typically forget about training staff, she says.
"We do put a lot of emphasis on the people part of that triangle, because we feel that no amount of technology or no defined process is going to work if you have a person who has to make a judgment call every day," she says.
HFHS employs 27,000 people, all of whom must go through mandatory annual training. Staff average 98%?99% completion rates for the annual training, which is exceptional for an organization its size, Phillips says.
One of the keys to HFHS’s success is applying proven education techniques. Training should be developed according to the eight-by-eight concept of adult learning, she says. In this model, a concept is addressed eight different times, eight different ways. Typically, after the eighth time, an adult learner will fully understand the material. HFHS takes the concept a little further to what Phillips calls the 25-by-25 rule.
"We’re always talking to people about this stuff," Phillips says. "We really try to saturate our environment with nuggets of information that support our overall strategy from a training standpoint. So by no means am I trying to give you a five-page document every time we train you, but we train you at times you don’t even know you’re being trained."
However, be wary of oversaturating staff, she adds. Spear phishing targets specific staff, and education should as well. Earlier this year when phishing emails began to go out to accounting staff requesting W-2 information, Phillips took strategic action.
"Once we realized that was happening, we pushed out a whole training and education module targeting our financial team, because most staff will never see that particular type of phishing email," she says. "You have to stay ahead of the game and, if you see these happening in your environment, you need to be poised and ready to go and get to that targeted group so they can make a better judgment call."
Information sharing
Privacy and security officers should share information on new phishing and hacking attacks with department managers, she says. Managers can then pass the warning on to staff before specific training is rolled out.
Staff will likely have a number of questions about phishing. They should know who to ask and shouldn’t worry that questions are an unwanted bother.
"If you have training and you’re not telling people how to get to you afterward, you’re defeating the purpose," Phillips says.
This message is especially important when training is online, she says. Many organizations opt for online training modules that staff can complete at their own pace by a given deadline. However, without face-to-face interaction with an instructor, staff can’t ask questions during the training. Open channels of communication between the privacy and information security department and the rest of the organization will ensure any questions are resolved.
When it comes to PHI, it’s better to ask a question than risk a breach, Kam says. Many staff may have questions about how to spot the difference between a legitimate request from a colleague and a carefully crafted phishing email.
"Show them [staff] some examples of the more blatant emails you might get," Kam says.
Staff should know it’s okay to ask for confirmation for an unusual request, even if it comes from someone who appears to be a senior manager or even the CEO. Some may feel reluctant to question a request they believe is coming from someone highly placed in the organization and may feel pressured to comply with the request quickly and without question. That’s exactly what phishing depends on. Managers, including senior managers, should encourage staff to double-check any unusual requests, Kam says.
"If staff feel confirming a request would be frowned upon, the organization is setting itself up for a breach," he says.
Some staff may also have trouble understanding why they can’t simply rely on anti-malware or anti-phishing tools to catch every suspicious email. Remind staff that hackers can work around the clock to create new methods to break technological defenses, but an anti-phishing or anti-malware program’s definition files aren’t updated instantly, Phillips says.
Communication will also help privacy and security officers, she adds.
"We always ask for feedback about what are some of the ways we could present this information," she says. "There are scenarios that they come up with that we might not be aware of, that happen in their business every day. So they educate us on what those things are."
Changing culture
Many organizations acknowledge more could be done to improve information security, according to the Ponemon survey. However, the survey also revealed that covered entities and business associates appear to place the blame for breaches, and the responsibility for preventing them, on each other. That lack of accountability may be a significant part of why cyber criminals see the industry as an easy target, Kam says. Until each organization accepts responsibility, it’s likely some will continue to pass the buck.
But without executive buy-in, privacy and security officers may face an uphill battle for resources and staff engagement with training, Phillips says.
"I don’t think education can be pushed from the bottom up," she says. "Your CEO has to provide you with support to be able to push levels of comprehensive training."
When CEOs and senior leaders set the example, an organization can shift its culture. "When I see my CEO taking training and education personally and actually taking it as a business value for her to be able to do things in a more compliant manner, it makes me want to be more compliant," Phillips says.
Organizations must commit to security and provide staff with tools and training to support that goal. Often, this can be accomplished by enforcing or refreshing existing tools and training.
"I’m of the belief that no new strategies are needed—just the stuff we’ve known about for decades that hasn’t yet been done," Beaver says. "In other words: discipline."
HIPAA enforcement
Is OCR ready to get proactive about HIPAA?
The Office for Civil Rights (OCR) stepped up HIPAA enforcement in a big way this year. The agency handed down more than $ 5 million in HIPAA settlement fines in one week in March, and in July reached a HIPAA violation settlement with Advocate Health Care in Illinois that carried a $ 5.55 million monetary payment. OCR kicked off phase two of its HIPAA Audit Program and will likely complete desk audits of covered entities (CE) and business associates (BA) by the end of the year. Comprehensive on-site audits may occur early in 2017.
However, breaches continue to come at a relentless pace and questions have arisen about OCR’s handling of HIPAA violations, particularly repeat HIPAA offenders. And a truly permanent HIPAA audit program may not yet be in sight: OCR states that phase two audits will help the agency plan for a permanent audit program but doesn’t state when that might launch.
In a September 2015 report (https://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf), the Office of Inspector General (OIG) said OCR—and HHS as a whole—should strengthen its oversight of CEs and be proactive rather than reactive in its approach to HIPAA enforcement. The report found that in 26% of closed privacy cases, OCR did not have complete documentation of corrective actions taken by CEs. In addition, OCR’s case tracking system has significant limitations and makes it difficult for the agency’s staff to check if a CE under investigation has been the subject of previous investigations.
All of this may make some CEs and BAs feel that HIPAA compliance is merely optional, and that leads to a weaker privacy and security culture throughout the industry. Although OCR does take action to make its presence felt, it could do more, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says.
"I do believe that OCR is trying to let people know that it considers HIPAA compliance an important objective," he says. "With its guidance and ongoing alerts about the occasional enforcement actions here and there, I see OCR’s enforcement a small step above being a paper tiger in terms of how seriously people take it."
The waiting game
The OIG’s September 2015 report wasn’t the first time that agency has found fault with HHS and OCR’s methods, Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says.
"OIG has published a number of reports over the years, identifying problems with HHS’ oversight and enforcement of these HIPAA rules," she says. "I know of no one in the profession who reads the OIG reports and disagrees."
But HHS and OCR have been slow to take action. More than five years passed between the end of phase one of the HIPAA Audit Program and the announcement of phase two, and OCR still has obligations it’s failed to fulfill. The agency’s slow pace may lead some to take it, and HIPAA, less seriously.
"Since the latest round of rule changes back in 2010, over six years ago, there are still outstanding rules and unmet commitments by HHS and OCR," Ruelas says. "In the end, it not only erodes credibility but also questions just how seriously is OCR taking its enforcement duties."
Another day, another fine
HHS and OCR regularly announce breach settlements, but 2016 saw a flurry of high-profile and costly settlements. OCR took the opportunity to make examples of a number of CEs and BAs in its statements, calling attention to the particular violations that tipped the settlements into the hundreds of thousands, or even millions, of dollars.
Although the settlements grab attention and headlines, it may be difficult to determine their positive impact. Some of the HIPAA violations in question date back years. Staff who worked at the organization, and may have been involved in the breach, are likely gone. Even administrators, executive leaders, and owners may change in that time. Some organizations may see OCR’s enforcement actions as too little, too late, Mac McMillan, FHIMSS, CISSM, cofounder and CEO of CynergisTek, Inc., in Austin, Texas, says.
"We all want the same thing: to see our industry do better," he says. "This is just more of the same old, same old. Same issues, different players."
A HIPAA settlement fine might be a crushing blow to a physician practice or small home health or physical therapy organization, but even the largest fines might not make an appreciable impact on larger organizations, McMillan says.
"To be really impactful, there will probably need to be more, they will need to happen closer to the actual event they’re related to, and possibly the fines will need to be bigger," he says. "The fines levied were really not substantial fiscally, and there was no accountability for those responsible for making security decisions, so they pay and move on."
Borten agrees that the long period of time between when a breach is reported and when OCR takes action lessens the impact. "The response or punishment must rapidly follow the event to have a significant impact on future behavior," she says.
Although some find California’s short breach notification timelines and black and white faxing rules burdensome, these measures have caused CEs and BAs to change their behavior and improved privacy and security, McMillan says.
Some CEs and BAs may be willing to take the chance they won’t be caught, Ruelas says. "I truly think that people see enforcement a lot like getting hit by lightning. However, if it does occur, it tends to be a game changer and does make for an interesting day."
But whether the change is meaningful or widespread may be difficult to determine, and any alteration to OCR’s HIPAA enforcement practices would likely be an improvement, he adds.
Learning from others’ mistakes
However, CEs and BAs can get something out of HIPAA settlements. Conscientious entities will fulfill the terms of the corrective action plan and even improve on it. And other CEs and BAs can take valuable lessons from OCR’s breach announcements. The agency often draws attention to specific issues that led to the breach, levies a pricey fine, and points out how the organization could have avoided the problem in the first place.
"HIPAA enforcement actions are important teaching tools," Borten says. "Workforce members can be asked if the same problem could arise in their organization, and how individuals can avoid the same fate."
Many privacy or security failures that lead to breaches are the result of human error and are still relevant regardless of when the breach occurred, she adds.
Although the security landscape has expanded beyond missing laptops and smartphones, Ruelas says there’s still a lot CEs and BAs can learn from these enforcement actions. Organizations may see ransomware, phishing, and privacy and security breaches on social media as the biggest threats—and rightly so. Yet many breaches still come down to 10-year-old HIPAA basics: misdirected faxes, incorrectly addressed emails, or handing the wrong documents to a patient.
While human error is still a concern, McMillan is most worried about the increasing number of breaches due to hacking, particularly the greater loss of data due to hacking and the effects such breaches have on the industry. "Human errors are still an issue, but the relative impact of those incidents compared to the impacts we see from hacking recently pales in comparison. Many of those attacks were the result of misconfigured or poor administration of systems resulting in serious outages and millions of lost records," McMillan says. "This is where OCR needs to focus attention."
Phase two
The launch of phase two of the HIPAA Audit Program may promise some positive change. The audits are intended to help the agency improve HIPAA guidance and tools and pinpoint common problems and challenges CEs and BAs face. (For more information on the phase two audits, see the May and July 2016 issues of BOH.) Desk audits of CEs began in July, with BAs scheduled to follow in the fall. However, it may take 90 days after submitting documents for CEs to receive a draft audit report. Until then, it will be difficult to predict what OCR’s response to the audits might be.
The audit reports will not be made public, although OCR representatives indicated they will likely be available through a Freedom of Information Act request. Sharing some data might help CEs and BAs.
"I do think that if audit results can somehow be summarized and shared, just by their detailed nature, the audits can be wonderful sources of information for the HIPAA community," Ruelas says.
It took three years for the agency to update the audit protocols to reflect changes made by the HIPAA omnibus rule, he adds. It’s too soon to tell how long it might take the agency to revise or refocus its guidance based on the results of the phase two audits, but it would no doubt be beneficial for all CEs and BAs to see results sooner rather than later.
Establishing a permanent audit program is one of OCR’s responsibilities under HIPAA, and the agency’s failure to develop one has drawn criticism from the industry and from other regulatory agencies such as the OIG. OCR agreed with the OIG’s latest call for a permanent audit program. Phase two is an encouraging step in that direction, but still not quite enough.
"It has been very vocal on its commitment to establishing an effective and permanent auditing program," Ruelas says. "Let’s see if it really is going to walk the talk."