General Surgery Coding Alert

Yes, this click trick can still reel in your system.

If you thought that only high-tech solutions can help you protect your Electronic Health Records (EHR) from a Health Insurance Portability and Accountability Act (HIPAA) breach, you'd be wrong. In fact, simple staff education against just one simple trick may help save the day.

Here's why: An easy portal to your data is still the good-old phishing attack, which involves a malicious communication disguised as a trustworthy source in an attempt to gain access to your system and steal information. In fact, emails were the cause of 13 healthcare organization HIPAA breaches in one recent month, impacting more than 150 thousand individuals, according to the HHS Office for Civil Rights (OCR) Breach Portal (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf). Seven of those breaches involved unauthorized access or disclosure by personnel.

Recognize the Threat

Email has been around for a long time, so it's easy to assume that your staff understands the nuances of spam, junk, or malicious threats that could corrupt your practice network. But the rise in email attacks highlights that not all healthcare workers fully understand the implications.

"Although there has been a lot of recent publicity about external threats to the information systems of healthcare providers, covered entities need to also consider and proactively address threats from within their organization," such as their employees and contractors, suggests healthcare counsel Elizabeth Hodge, Esq. andpartner attorney Carolyn Metnick, Esq. with Akerman LLP.

That doesn't mean threats that your staff might take patient information, but threats that your staff might be vulnerable to practices such as phishing.

Insight: Many high-level employees including managers, clinical staff, and administrators are often the most at-risk for attack in a phishing practice known as "whaling." Social engineers oftentimes use another tactic called "spear phishing" too, which targets vulnerable or novice staff who unwittingly click and unleash chaos.

Secure Your Email

You can help avoid having your system hijacked through phishing by following a few simple steps. In a health law blog from Ogden, Murphy, Wallace Attorneys in Seattle, attorney Casey Moriarty, Esq. offered the following tips:

• Educate staff on email hygiene: A staff member who clicks on a link in an email or responds to an email from hackers who pose as security personnel could result in unknowingly installing the malware.
• Check with IT: When staff members are in doubt about a suspicious email, phone call or other communication, instruct them to always check with your IT personnel and your HIPAA privacy officer before taking any action.
• Use Encryption: Consider employing encryption technology that meets the HIPAA breach safe-harbor standards to avoid or mitigate this type ofbreach.

"Also consider your workforce's privacy knowledge," Hodge and Metnick add. "Many employees do not know how to identify socially engineered emails or other security threats. Employees should be trained on identifying socially engineered emails."

"Fix your people. They are prone to human error," agrees compliance expert Brand Barney, CISSP, HCISPP, QSA, a security analyst with Security Metrics in Orem, Utah.

Resource: For a look at the OCR's Cybersecurity Newsletter on phishing, visit www.hhs.gov/sites/default/files/july-2017-ocr-cyber-newsletter.pdf?language=es.