HHS’ Office for Civil Rights Offers Anti-Phishing Advice for Healthcare Organizations

The Department of Health and Human Services’ Office for Civil Rights has issued anti-phishing advice for healthcare organizations. The warning and advice comes after several major phishing attacks in healthcare. The risk from phishing is greater than ever before and healthcare organizations are being extensively targeted. If technical controls are not implemented and the workforce is not trained to recognize phishing attacks, data breaches are inevitable.

“Individuals must remain vigilant in their efforts to detect and not fall prey to phishing attacks because these attacks are becoming more sophisticated and harder to detect,” says OCR in its February Cybersecurity Newsletter.

Attackers have increased their efforts to gain access to healthcare networks and have developed new techniques to fool employees. Healthcare organizations should respond to the increased threat by updating their training programs and ensuring cybersecurity training is a continuous process. If healthcare employees are not informed about new attack methods, they cannot be expected to respond correctly.

The anti-phishing advice for healthcare organizations follows on from previous advice on security awareness training in healthcare – the subject of its July 2017 cybersecurity newsletter.

Anti-Phishing Advice for Healthcare Organizations

Following OCR’s anti-phishing advice for healthcare organizations can help to reduce user susceptibility to phishing attacks. OCR suggests training programs should include the following:

  • Healthcare employees should be provided with regular training to help them identify phishing and other malicious email threats.
  • Employees should be told to be wary of clicking links in emails or opening email attachments in unsolicited emails sent from unknown senders.
  • Employees should be told that phishing attacks can come from within and may appear to have been sent from known individuals. Their email accounts could have been compromised.
  • Employees should be told to verify any email request to send sensitive information by contacting the sender of the email, but not to use the contact information supplied in the email.
  • Many emails appear to have been sent from an official source. Employees should be trained to exercise caution even when the email comes from an official source such as a government agency. The links may look genuine, but they may direct users to phishing sites.

Healthcare IT teams also need to implement additional controls as part of their risk management processes.

  • Implement 2-factor authentication on accounts. If a password is guessed or stolen, if it is used to access an account from an unknown device a second form of authentication should be required.
  • Patch promptly and ensure all operating systems are up to date. Conduct scans or use software to check that all patches have been applied and no devices have been missed.
  • Ensure backups are being made regularly and multiple copies exist, including one copy on an air-gapped device stored offsite. In the event of a ransomware attack or other emergency situation, data can be recovered.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news