A recent health care entity was hit by an email attack, resulting in personal employee information being released to a scammer. Today, we will show you how social engineering and training can become a valuable HIPAA Compliance Tool.
On January 25, Campbell County Health (CCH) provided a press release on their website detailing information about a security incident involving employee information. A scammer impersonating a CCH executive sent an email to an employee asking for W-2 information for employees who had taxable earnings in 2016. This type of scam is specifically called Phishing and is a type of social engineering. Social engineering occurs when someone uses deception in order to acquire confidential information.
The employee submitted the information to the scammer before anyone at CCH was able to determine that the email was a scam.
CCH stated that no protected health information was submitted. CCH contacted law enforcement and a cyber security response team to help identify the suspect. CCH also provided information to affected employees on how to better protect themselves, including taking part in the organization sponsored identity protection services.
What does this have to do with HIPAA?
While protected health information (PHI) was not released in this security incident, another similar situation might result in a breach. Nefarious characters are always looking for ways to get important information from organizations, and emails that seem legitimate are a perfect way to do this.
In 2015, a Brigham and Women’s Hospital employee provided login credentials for an email account after receiving a phishing email. The email account contained a limited amount of PHI.
In 2014, Seton Healthcare Family experienced a breach after a phishing attack. This security incident affected 39,000 patients.
How is Social Engineering an Effective HIPAA Compliance Tool?
Hiring a third party to conduct social engineering gives insight into areas where more training might be needed. Everyone is so used to using email, they often don’t think twice about who it is coming from or if the attachment might contain malware.
The third party will conduct social engineering like a scammer would, but will provide you with information on who opened the email and who clicked a link or opened an attachment. Depending upon the company, you might receive information on who exactly took specific actions, or it might be anonymous so you receive a percentage of emails that were opened.
The testing will give your organization valuable insight into the type of training that you should provide for your employees to minimize the risk of employees accidentally sharing confidential information in a real phishing attack. Training that covers what to look for in emails is essential for employees. Your employees should be able to identify suspicious emails and have specific procedures to follow when they do find a suspicious email, like presenting the email to your organization’s HIPAA Privacy and/or Security Officer.
For more information on these types of HIPAA Compliance Tools and others, join HIPAAgps today!