|HIPAA Survival Guide December Newsletter 2016: Issue 84.
Your HIPAA Compliance Companion
HIPAA Survival Guide December 2016 Newsletter
Exploring HIPAA Phishing Schemes
Wikipedia defines Phishing as follows:
is the attempt to obtain sensitive information
such as usernames, passwords, and credit card
details (and sometimes, indirectly, money
), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication
. The word is a neologism
created as a homophone
due to the similarity of using a bait
in an attempt to catch a victim. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting victims.
Phishing emails may contain links to websites that are infected with malware
. Phishing is typically carried out by email spoofing
or instant messaging
, and it often directs users to enter details at a fake website whose look and feel
are almost identical to the legitimate one. Phishing is an example of social engineering
techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation
, user training, public awareness, and technical security measures.
For our purposes this definition captures what we believe is all the essential elements of Phishing
. The $$ quote from the definition above is that "Phishing
is an example of social engineering
." A "hack" using social engineering is not carried out because the hacker possesses superior technical skills (although some obviously do) BUT rather because the hacker has insights into human nature and therefore possess knowledge regarding the capacity for humans to be deceived by those things that look familiar but that upon closer inspection are not.
You make think that mostly uneducated and unsophisticated users of information technology fall into these traps, but you would be wrong. For example, thousands of lawyers are targeted everyday with emails from Asia purporting to have some contractual business that they require legal assistance with. If you are a hungry lawyer (and given the disruption that is occurring in the legal industry there are LOTS of them) then your own pecuniary interest blind you to the fact that business people generally do not randomly select a lawyer from the Internet (the odds of that being legitimate approximate the odds of winning the lotto).
Is Phishing that targets the healthcare industry any different than say phishing that targets the financial services industry? Yes and no. It is different simply because the "bad guys" have figured out that healthcare is more vulnerable than financial services
. Hackers, like all knowledge workers, are going to target the low hanging fruit that produces the most results per unit of time. Healthcare knowledge workers (i.e. clinicians) tend to work in a more phrenetic pace and therefore often do not have time to pay close attention to details that would identify a well executed Phishing scheme. Combining these two variables makes healthcare a "target rich" environment for Phishing.
Otherwise, in general, the Phishing schemes that have worked elsewhere are simply repurposed for a healthcare environment. Think of it from the bad guy's perspective. He has already taking the time to craft a well thought out Phishing scheme (e.g. pretending to be the Pizza delivery guy to gain access to a building and then simply finding a "live" ethernet jack) to gain access to the network. In order for it to work it will need to be well crafted and sophisticated. The temptation on the part of hackers is to simply use what has worked elsewhere and apply it to healthcare. So you can "study" a number of well known and documented Phishing Patterns in order to help you educate your workforce pursuant to this type of threat. At the end of the day, preventing Phishing is all about education, education, education.
It is easy to state the Phishing should be prevented through education but much harder to devise a curriculum that achieves that objective. Why? Because Phishing schemes become more sophisticated everyday and the old patterns (e.g. the "Nigerian Prince" pattern) have now been so widely discussed that their usefulness has been exhausted. A better approach is to combine "Phishing prevention training" as part of your overall HIPAA training initiative and then send out security reminders to your workforce as you detect new patterns emerging.
The general skill that ALL (i.e. including/especially the executive management team) workforce members need to acquire is to develop a healthy skepticism for all inbounding emails and links that do not readily appear to come from a trusted source. Thus the general detection pattern is that any small thing that looks "out of place" with respect to an inbound email correspondence should be seriously scrutinized before clicking on any links contained therein. If you doubt the authenticity of the email in the least then delete it. If it was legitimate then the sender will more than likely "ping" you again upon receiving no response.
For example, if you receive email from your brother-in-law who rarely sends you email AND the email address is NOT one that you recognize then this is likely a Phishing scheme. The hacker in this case has compromised a computer that contains your brother-in-law's name and probably his address book as well. Therefore, they are using the "inside knowledge" that you would not suspect that your brother-in-law would send you a compromised email
to get you to click on a malware infected link.
As the example above makes clear, it is almost impossible to teach your workforce all the permutations of known patterns that exist; let alone those yet to be invented. So given that, a better approach is to educate your workforce with a selection of Phishing patterns, in order to teach them the "general pattern." The latter can be summarized as follows: if something "feels" wrong about an inbound email correspondence then the likelihood is high that there is in fact something wrong with it.
Of course, inbound email correspondences are not the only Phishing schemes that occur. Phishing schemes are only limited by the "bad guys" imaginations. A well known scheme as discussed above is to dress up like the pizza/doughnut delivery guy to gain physical access to an otherwise secure building. Most of us have attended business meetings where food is one of the rewards for attendance. We are naturally inclined to open the door for the "food guy" and for someone dressed in an uniform that represents authority (e.g. someone dressed as a police officer).
Although preventing Phishing is generally a matter of workforce training, there are technology solutions that may help you prevent electronic Phishing. For example, the Sender Policy Framework:
[I]s an open standard
specifying a technical method to prevent sender address forgery. More precisely, the current version of SPF
- called SPFv1 or SPF Classic - protects the envelope sender address, which is used for the delivery of messages...Even more precisely, SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain's stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.
The obvious drawback to this approach is that it only prevents your outbound email addresses from being spoofed but does nothing to prevent inbound malware from entering your system, unless everyone adopts a similar policy. The changes of the latter is slim, and even if it were so, the "bad guys" would find easy workarounds. That said, protecting your own outbound email address from being "spoofed" could save you from spending a significant amount of time and money cleaning up the mess, while at the same time preventing your brand from potentially taking a significant hit to its reputation. It is definitely something worth looking into.
The HIPAA Survival Guide Subscription Plan
The Risk Assessment Express
is an easy to use Risk Assessment software that allows you to identify security objects, risks, threats and vulnerabilities to define impacts and assign controls at a glance!
Allows you to do a Baseline Risk Assessment in
3 Hours or less!
It's no secret that HIPAA compliance can be complicated. Very complicated!.
The Security Rule tells us that all Covered Entities and Business Associates must perform Risk Assessments. HHS tells us that Risk Assessments are on the desk auditors' target list. HIPAA tells us that failure to comply with the Security Rule can result in huge fines.
What HIPAA doesn't tell you is how to actually perform a
WHERE DO YOU START???
Our 'Quick Start Guide" gets you off and running to complete your first Risk Assessment in 3 hours or less. Expresso™ comes pre-populated with all the Risks, Threats, Vulnerabilities and Impacts necessary to a complete a baseline Risk Assessment.
- Perform a baseline Risk Assessment in a matter of hours
- Bulk import Security Objects (people, places, assets, processes and other things that Security Controls are applied to)
- Track the results of the Controls applied
- Retain instances of past Risk Assessments for reporting purposes
Expresso™ will allow you to do all of the above, and so much much more! In addition the HIPAA Survival Guide Subscription Plan also includes Policies and Procedures customizable to your organization
Included In HIPAA Survival Guide Subscription Plan
HIPAA Compliance Products
HIPAA Training Products Included
Click Here for The HIPAA Survival Guide Subscription Plan Testimonials
Give Your Organization's Compliance Initiative
The Boost It Needs To Survive A HHS Audit With
The HIPAA Survival Guide Subscription Plan With Expresso™
Protect Your Practice and Your Business