A phishing attack on a HIPAA-covered entity has lead to in a $400,000 HIPAA breach fine for non-compliance. This is not the first time a phishing attack has resulted in a penalty from OCR for non-compliance.
The failure to stop phishing attacks does not necessarily lead to a HIPAA penalty, but failing to implement adequte protections to prevent attacks could land HIPAA-covered entities in hot water.
HIPAA Compliance and Phishing
The U.S. Department of Health and Human Services’ Office for Civil Rights has the responsibility for policing enforcing Health Insurance Portability and Accountability Act Rules. While OCR carries out audits of covered entities to identify aspects of HIPAA Rules that are proving difficult for covered entities, to date, no fines have been issued due to HIPAA violations discovered during compliance audits. The same is certainly not so when it comes to investigations of data breaches.
OCR looks into every data breach that impacts more than 500 individuals. Those investigations often lead to the discovery of violations of HIPAA Rules. Any HIPAA-covered entity that experiences a phishing attack that leads to the exposure of patients’ or health plan members’ protected health information could have previous HIPAA violations uncovered. Just one phishing attack that is not thwarted could therefore end up in a massive fine for non-compliance.
What HIPAA Rules cover phishing? While there is no specific reference to phishing in HIPAA, phishing is a threat to the confidentiality, integrity, and availability of ePHI and is covered under the administrative obligations of the HIPAA Security Rule. HIPAA-covered groups are required to provide ongoing, appropriate HIPAA training to staff members. §164.308.(a).(5).(i) requires security awareness training to be provided, and while these are addressable requirements, they cannot be disregarded.
These administrative measures include the issuing of security reminders, protection from malicious software, password management and login reviewing. Employees should also be taught how to identify possible phishing emails and told about the correct response when such an email is received.
The HIPAA Security Rule also requires technical security measures to be created to protect against threats to ePHI. Reasonable and appropriate security measures, such as encryption, should be employed to protect ePHI. Since ePHI is often available through email accounts, a reasonable and appropriate security measure would be to employ a spam filtering solution with an anti-phishing component.
Given the frequency of attacks on healthcare providers, and the extent to which phishing is involved in cytberattacks – PhishMe reports 91% of cyberattacks start with a phishing email – a spam filtering solution can be classed as a vital security control.
The danger posed by phishing should be highlighted during a risk analysis: A necessary element of the HIPAA Security Rule. A risk analysis should find risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be mitigated as part of a covered entity’s security management process.
