OCR Offers Advice on Recognizing, Avoiding, and Mitigating Social Engineering Attacks – HIPAA Journal

The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance
Posted By Steve Alder on Oct 28, 2024
The majority of healthcare data breaches reported in the past few years are due to hacking incidents but many of these security incidents do not involve the exploitation of vulnerabilities in software and operating systems for initial access. Far more common is the exploitation of human vulnerabilities, where healthcare workers are tricked into providing cyber actors with access to internal systems and sensitive data. According to the Verizon 2024 Data Breach Investigations Report, more than two-thirds of breaches involve the human element rather than the exploitation of weaknesses and vulnerabilities in technology.
One of the most common methods used is phishing, where a cyber actor makes contact with a healthcare employee and convinces them to visit a malicious website where they are asked to enter their credentials or are convinced to download a malicious file, both of which give the cyber actor the access they need. With phishing, the initial contact is often via email, although an increasing number of phishing attacks are now occurring via SMS (smishing), instant messaging platforms, social media networks, and over the telephone (vishing).
Phishing usually involves deception and impersonation. A trusted individual, company, or institution is impersonated, and the targeted individual is provided with a seemingly legitimate reason for taking the requested action. This could be a request for collaboration on a report, a notification about a failed delivery, a missed payment of an invoice, or a security warning. There is often a threat of negative consequences if no action is taken, commonly a pressing matter such as impending loss of service, a significant charge that will soon be applied to an account, or unauthorized account access that warrants immediate steps to secure the account.
The techniques used in phishing are known as social engineering – manipulation, influencing, or deceiving someone into taking a certain action, which in cybersecurity terms involves gaining unauthorized access to computer systems, financial accounts, or sensitive data. While phishing is one of the best-known attack methods that uses social engineering techniques, cyber actors use social engineering in other types of attacks to achieve similar goals. There is baiting, where social engineering is used to trick someone into taking an action to obtain something of value, such as to be entered into a free prize draw or get an amazingly low purchase price on goods and services. In order to get what is promised, sensitive information must be disclosed such as credentials, a credit/debit card number, or personal information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Advances in artificial intelligence (AI) technology have provided cyber actors with a new way of manipulating individuals – deepfakes. Deepfakes take impersonation and deception to a new level, where trusted individuals are impersonated via audio or video. Deepfakes of authority figures can be created that are incredibly realistic, using synthesized facial images and speech or manipulated videos, photos, and audio recordings to trick people into taking any number of actions. Deepfakes can even be created in real-time, such as impersonating a CEO in a call to a help desk to request credentials be reset or to add an attacker-owned device to receive multifactor authentication codes, or in Zoom meetings where the meeting participants are convinced they are conversing with the genuine person.
Social engineering is the subject of the October 2024 cybersecurity newsletter from the HHS’ Office for Civil Rights. In the newsletter, OCR explains how social engineering is used in attacks on healthcare organizations and how to identify and avoid social engineering attacks. The newsletter also explains how compliance with the HIPAA Security Rule can help HIPAA-regulated entities improve their defenses against social engineering and mitigate threats.
“Attackers have learned how to convincingly imitate our loved ones and our business partners, meaning that nothing can be assumed or taken at face value. Attackers continue to refine their manipulation through social engineering tradecraft. All of these threats have a common theme; they all attempt to convince an individual to do something they would not otherwise do normally, or to provide details such as credentials someplace other than where they should be used,” explained OCR in the newsletter. “Educating workforce members on these attacks is essential when it comes to an individual’s ability to identify and potentially halt social engineering attacks before they start. Such knowledge is powerful not only to protect individuals in their personal online activities, but also by extension an individual’s employer. This is especially important in the current environment where work is taken home on laptops, smartphones, and through remote work.”
Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. The HIPAA Journal’s goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.
Receive weekly HIPAA news directly via email
HIPAA News
Regulatory Changes
Breach News
HITECH News
HIPAA Advice


Email Never Shared
Cancel Any Time
Privacy Policy
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Click here to subscribe to free weekly newsletter
The HIPAA Journal is a registered trademark. Copyright © 2014-2024 The HIPAA Journal. All rights reserved.
The provision of refresher training when there is a material change to policies and procedures is necessary to ensure all members of the workforce affected by the change are made aware of it. Refresher training only has to be provided to those the change affects; but, if the training relates to a change in HIPAA policies and procedures, the training must be documented and – where required by state law – attested to by those who attend. In addition, it is a best practice to provide annual refresher training to all members of the workforce so that those not directly affected by material changes to policies and procedures are made aware of them.
It is important that all members of the workforce receive ongoing security awareness training for two reasons. The first reason – that training is provided to all members of the workforce – is because an attacker can infiltrate a network via a device that does not have access to electronic PHI, and then move laterally through the network until they find a healthcare database to attack. The second reason – that training must be ongoing – is due to the evolving nature of cyberthreats. Members of the workforce must be informed about the latest threats, how to recognize them, and how to report them.
HIPAA Authorization Forms have to comply with §164.508 in order to be valid. If a HIPAA Authorization Form lacks the core elements or required statements, if it is difficult for the individual to understand, or if it is completed incorrectly, the authorization will be invalid and any subsequent use or disclosure of PHI made on the reliance of the authorization will be impermissible. For this reason, members of the workforce responsible for obtaining valid authorizations must be trained on the implementation specifications of this standard. HIPAA Authorization Forms must be stored for a minimum of 6 years.
The requirement to have a security management process is the first standard in the HIPAA Security Rule’s Administrative Safeguards. The process must consist of at least a risk analysis, an actioned remediation plan, a sanctions policy, and procedures to regularly review information system activity. All analyses, remediation plans, sanctions, and reviews must be documented. Documentation must be stored for at least 6 years, either physically on paper on via HIPAA compliance software.
There are many examples of when it may be necessary to retrieve documentation within a specific timeframe to comply with HIPAA. The most common is when an individual requests access to their PHI maintained in a designated record set. Less common examples include when an individual wishes to revoke an authorization or when HHS’ Office for Civil Rights requests documentation to resolve a HIPAA complaint. In most cases, the documentation has to be provided within 30 days.
It is necessary to monitor business associate compliance because a covered entity can be held liable for a violation of HIPAA by a business associate if the covered entity “knew, or by exercising reasonable diligence, should have known” of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligations under the HIPAA Business Associate Agreement.
It is important to identify partners and vendors that qualify as business associates because when a service is provided for or on behalf of a covered entity that involves the creation, receipt, maintenance, or transmission of PHI, a HIPAA Business Associate Agreement has to be entered into which stipulates the permitted uses and disclosures of PHI by the business associate, both parties’ compliance obligations, and other terms that may apply.
The application of sanctions is important to ensure members of the workforce do not take compliance shortcuts “to get the job done”, and the shortcuts deteriorate into a culture of non-compliance. The sanctions applied should be relevant to the nature of the violation. For example, a verbal warning and/or refresher training may be appropriate for a minor violation, while repeated or more serious violations should attract harsher sanctions. The application of sanctions must be documented and records stored for at least 6 years, either physically in paper records or with HIPAA compliance software.
A HIPAA Notice of Privacy Practices advises patients and plan members of their privacy rights, how the organization can use or disclose PHI, and how an individual can complain if they believe their privacy rights have been violated or their PHI has been used or disclosed impermissibly. Notices must be reviewed and amended as necessary whenever a material change affects either an individual’s rights or how PHI can be used or disclosed. They must then be re-distributed and/or re-displayed in accordance with §164.520.
Members of the workforce must know how to respond to patient access and accounting requests – even if it is to direct the request to the HIPAA Privacy Officer – because the primary reason for complaints to HHS’ Office for Civil Rights in recent years has been the failure to respond in the time allowed with the information requested. At present, the majority of HIPAA enforcement activities focus on non-compliance with the patients’ rights standards of the HIPAA Privacy Rule.
The documentation and record keeping of every HIPAA training session is important for two reasons – so that covered entities can keep up to date with which members of the workforce have received what training in the event of transfers or promotions, and so that covered entities can demonstrate the training has been provided in the event of an OCR compliance investigation. Workforce attestation is also required by some state laws with more stringent privacy protections than HIPAA.
The healthcare sector and healthcare records in particular is often targeted by hackers due to the billing details contained in medical records and ransomware value of the personal information in Protected Health Information. Email is one of the most common attack vectors. It is important healthcare staff know how to identify malicious software and phishing emails because the detection capabilities of security software are often limited to how the software is configured and how frequently it is updated. Even the best security software can allow threats to evade detection and, when this happens, users need to be able to identify the threat and report it so other users do not (for example) open a malicious attachment or interact with a phishing email.
The Administrative Requirements of the Privacy Rule (§164.530) requires covered entities to train all members of their workforces on the policies and procedures developed to comply with the Privacy and Breach Notification Rules. Naturally, the sooner training is provided, the less chance there is of an inadvertent impermissible disclosure due to a lack of knowledge. It is important to note that training must be provided even if a new member of the workforce has held a similar role in a previous position and that some states have mandatory time frames within which training must be provided (for example, in Texas, training must be provided within 90 days).
It is necessary to prove the breach notification requirements are complied with to ensure covered entities and business associates do not overlook notifying individuals in the required timeframe when submitting an annual breach report to HHS’ Office for Civil Rights for breaches affecting fewer than 500 individuals. Some organizations have delayed notifying individuals about data breaches, increasing the risk of individuals’ data being used to commit identity theft or fraud before individuals have the opportunity to protect themselves from such events. The burden of proof standard mitigates the likelihood of individuals being overlooked.
While many types of impermissible uses and disclosures, data thefts, and unauthorized access events are clearly notifiable breaches, there are also many types that are not. If it can be determined that an impermissible use or disclosure does not qualify as a notifiable breach by using the exclusion criteria in §164.402, it will not be necessary to comply with the breach notification requirements – saving organizations time and money, and a potential compliance review by HHS’ Office for Civil Rights.
Although it is not a requirement of HIPAA to provide an anonymous reporting channel, members of the workforce should be encouraged to speak out when they believe a violation of HIPAA has occurred in order that the incident can be investigated and corrected if necessary. It is felt (although cannot not proven) that anonymous reporting channels generate more reports because members of the workforce feel protected against retaliation. However, if an anonymous reporting channel is provided, it needs to be used in compliance with HIPAA, and any PHI contained within the anonymous report has to be safeguarded against unauthorized access, loss, and theft.
It is important to execute HIPAA-compliant Agreements with business associates because if an Agreement does not comply with the relevant standards it is invalid. If an Agreement is invalid, covered entities are not permitted to disclose PHI to the business associate, and any disclosure of this nature would represent a violation of HIPAA.
It is important for organizations to monitor changes to transaction code systems for two reasons. The first is that using out-of-date transaction codes can result in delays to (for example) authorizations and payments. The second reason is that organizations who persistently use out-of-date transaction codes can be reported to CMS – which has the authority to enforce Part 162 of HIPAA via corrective action plans and financial penalties.
The National Provider Identifier identifies your organization or subparts of your organization in Part 162 transactions. It is important that NPIs are used correctly in (for example) eligibility checks and authorization requests to prevent delays in responses to requests for treatment. It is also important that NPIs are used correctly in claims and billing transactions to make sure payments are received on time.
Automatic logoff capabilities are important to prevent unauthorized users from accessing ePHI when a device is unattended. Additionally, if a device is lost or stolen, the device cannot be used to access ePHI without the login credentials being known and used.
It is important that login credentials and passwords are not shared for systems that contain ePHI because, if multiple users are using the same access credentials, it will be impossible to determine when specific users access ePHI. As well as eliminating the usefulness of audit logs and access reports, if a system has been configured to reject multiple logins using the same credentials, it could result in users being blocked from accessing ePHI when necessary, or the system being corrupted.
The requirements to implement and test a data backup plan, an emergency mode operations plan, and a disaster recovery plan fall within the contingency plan standard of the Security Rule (§164.308). These requirements are designed to ensure the integrity and availability of ePHI in the event of a natural or manmade disaster.
Information access policies should make sure that the right people have access to the right level of ePHI at the right time. This means the policies have to be sufficiently flexible to support changing roles, promotions, and time off due to (for example) a suspension or maternity leave. The policies should also include procedures for terminating access to ePHI when a member of the workforce leaves so the departing individual cannot access the organization’s ePHI remotely.
The reason it is necessary to have procedures in place to respond to patients exercising their HIPAA rights is that some rights are susceptible to exploitation. For example, procedures should be in place to verify the identity of patients, review confidentiality requests, and determine if a request is being made to support an abusive, deceptive, or harmful activity.
The minimum necessary standard (§164.502(b) and §164.512(d)) requires that only the minimum necessary information is used or disclosed to achieve the purpose of the use or disclosure. This is to better protect the privacy of individually identifiable health information. However, the standard does not apply in every circumstance, and covered entities that apply the standard too rigidly could encounter communication challenges or, in some cases, be in violation of other HIPAA regulations.
Although covered entities and business associates have many similar HIPAA compliance obligations, some regulations apply differently to each type of organization depending on the nature of their activities. If you qualify as a covered entity, and you also provide services to other covered entities as a business associate, it will be necessary for you to complete the assessment twice.
Wait… Don’t Leave Empty-Handed!
Get the FREE
HIPAA Compliance
Checklist
The best resource to view
your compliance requirements
and avoid HIPAA violations.
Wait… Don’t Leave
Empty-Handed!
Get the FREE
HIPAA Compliance Checklist
View your compliance requirements and avoid HIPAA violations
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
For Individuals
Show Your Employer You Have Completed The Best HIPAA Compliance Training Available With ComplianceJunction’s Certificate Of Completion
Your Privacy Respected
HIPAA Journal Privacy Policy
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
Please enter correct email address
Your Privacy Respected
HIPAA Journal Privacy Policy
Is Your Organization HIPAA Compliant?
Find Out With Our Free HIPAA Compliance Checklist

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.