Page 22 - Delaware Medical Journal - January 2017
P. 22
BUSINESS OF MEDICINE
Beware of New Phishing Email Posing as HHS
As a Medical Society of Delaware Premier Educational Partner, SSD Technology Partners is conveying this ������������������������������������������������������� and their business assoicates.
The U.S. Department of Health and Human Services (HHS)
��������������������������������������������������������������� ��������������������������������������������������������������� communication, using HHS departmental letterhead and even the signature of OCR Director Jocelyn Samuels.
This phishing scam targets employees of entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and their business associates. Recipients are prompted to click a link ��������������������������������������������������������������� Security, and Breach Rules Audit Program.
The link takes you to a website that is marketing cybersecurity
�������������������������������������������������������������������
government agency. If you receive an email from the HHS OCR and question its authenticity, you should immediately report the email to osocraudit@hhs.gov.
This is just the latest example of a popular attack method used
by cybercriminals when targeting hospitals and health care ������������������������������������������������������������������������ ���������������������������������������������������������������������� law enforcement, or government agency such as HHS or the Internal ������������������������������������������������������������������� send an email with what seems like a perfectly reasonable request or document. Typically, the email includes a link or an attachment that will automatically download malware when clicked. Ransomware
has become a serious problem in health care, as hackers block access to network data and demand that the victim pay a ransom to have access restored.
Law enforcement recommends against paying the ransom because the hacker may not restore access anyway, and it could embolden the hacker to increase the ransom. However, many victims have admitted to paying the ransom because any downtime could disrupt operations and put patient safety at risk.
Many sophisticated hackers will create a website that resembles an
�����������������������������������������������������������������
password. Once the hacker has the user's credentials, they have easy access to the network. They’ll go after assets and information with ����������������������������������������������������������������������� trade secrets, as well as private patient data, such as dates of birth, home addresses, Social Security numbers, medical records, and prescription information. However, the hacker could even attempt to take control of certain parts of the network, including medical devices and equipment.
The consequences of a data breach are devastating, particularly in a health care environment. First and foremost, it could affect patient care. There are obvious HIPAA compliance issues, and patients whose private data was compromised could take legal action. In addition to ����������������������������������������������������������������������
Train employees about phishing emails, the warning signs,
the consequences of a breach, and what to do if a scam is suspected. Tighten up your incident response plan for identifying and addressing threats and communicating incidents to the appropriate people. Remember, even the most advanced security technology can't eliminate the risk of human error. Attacks against hospitals and health care organizations are on the rise, so make sure you're prepared.
22
Del Med J | January 2017 | Vol. 89 | No. 1
