Phishing Emails and Why Encryption Software is Warranted
One of the most common ways hackers gain access to a computer system is through phishing emails. Phishing emails can be difficult to recognize as hackers disguise themselves as a trusted entity, sending you an email that looks like it is coming from someone you know, containing a malicious link. Once the receiver clicks on the link, the hacker is able to access your system, including any data it may contain. Organizations that are maintaining or transmitting protected health information (PHI) must have safeguards in place to protect their data.
The behavioral health industry is a particularly appealing target, as much of the information is sensitive in nature. With the implementation of new technology, behavioral health professionals are turning to telehealth platforms to meet with patients. Online platforms offering health services are latent with PHI. In the face of escalating phishing attacks, the importance of encrypting data has never been higher.
Navicent Health Systems Phishing Email Incident
Monroe County Hospital was notified in March of 2019 that their business associate, Navicent Health Systems, experienced a phishing attack resulting in a data breach. Overall, the breach resulted in the exposure of 278,016 individuals’’ PHI, 10,970 of which were patients of Monroe County Hospital.
Employees of Navicent Health received phishing emails containing a malicious link that allowed hackers to access their email accounts. Although it is unclear whether or not hackers accessed PHI, the email accounts in question included names, birth dates, addresses, Social Security numbers, driver license numbers, medical record numbers, and limited health information. The event, which initially took place in July of 2018, was not reported to Monroe County Hospital until March of 2019.
In a press release Navicent Health stated, “We take our responsibility to safeguard personal information seriously and apologize for any inconvenience or concern this incident might cause. We are committed to taking steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls.”
The Department of Health and Human Services (HHS) and Data Security
Although most organizations train their employees on how to recognize a phishing email, a large portion of breaches in the healthcare industry start with a phishing email. However, when an organization uses encryption software to protect their data, even when a hacker accesses your system, your data will be protected.
The Department of Health and Human Services (HHS) identifies ten practices organizations should implement to increase their cybersecurity:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
Recognizing phishing emails can protect your organization from data breaches, but encrypting your data is imperative to protecting PHI. In many of the recent phishing incidents, the organizations trained their staff on how to recognize phishing emails, but failed to encrypt their data. Encryption is a necessity that your organization cannot afford to ignore. When your system is encrypted and you experience a data breach your files will be unreadable, therefore PHI will be protected. Data encryption is a requirement under HIPAA law, without encryption your organization is not HIPAA compliant.
Cybersecurity management should be a top priority for behavioral health professionals. As cybersecurity is a complex issue, we will be providing a ten part series to discuss each of the practices identified by the HHS in detail, and how they affect your behavioral health practice.