Chat with us, powered by LiveChat

Don’t Get Caught! Five Ways to Avoid a Phishing Scam

Bobby Seegmiller Blog Image - Phishing

I love to spend time with my family. Some of our favorite outdoor activities include skiing and mountain biking. Unfortunately, this time of year it is hard to do either activity because the snow is too slushy to ski and the canyon trails are too muddy to mountain bike. However, there’s one activity that my family can enjoy this time of year… fishing!

Early spring is one of the best times to go fishing because of ice-off. Ice-off is when the warm weather of spring melts the ice from the shore causing the ice to recede rapidly. Because the fish have been dormant for six months, they begin to move to the shallow water to feed, taking almost any bait you throw at them. As the weather continues to warm, the ice disappears and the fish swim to deeper water for safety. As the season progresses, the fish are more aware of the lures being thrown at them and it becomes more difficult to catch a fish.

What is Phishing?

Like fish during ice-off, we can quickly be caught in a “phishing” scam if we don’t have the correct training to identify these “deceptive lures” and the security in place to protect our data.

Phishing is the art of sending mass emails with a common theme attempting to trick users into clicking a link allowing access to personal information and data. You might notice these phishing attacks look like they come from a reputable source but that is a tactic used to persuade individuals to reveal personal information. As technology evolves, so does the sophistication of these phishing attacks. It is no longer a matter of if you receive a phishing email but when you receive a phishing email.

Nobody wants to fall prey to a phishing scam. Fortunately, there are safeguards you can put in place to avoid becoming a victim. Here are three quick “gut check” guidelines to spot a phishing email.

How to spot a phishing email:
  1. Check for any spelling, punctuation, or grammatical errors.
  2. Does the email ask for personal information or request a quick favor?
  3. Is the email unexpected? Does it ask you to do something out of the ordinary?

If you receive an email that fits any of the categories above or the email just doesn’t seem to add up, it is likely a phishing email. Once you have identified the email as phony, you should blacklist the sender and delete it immediately.

This last month I received an email from someone claiming to be the President of HIPAA One and requested that I purchase Amazon gift cards as a bonus for our employees. Even though the email looked like it came from Steven Marco, our President, the email address did not actually match his email. Additionally, there were multiple spelling, punctuation, and grammatical errors in the email. This email was easy to spot as a phony but I might not be so lucky next time. It is important to be aware of current phishing techniques and have a plan in case an email link is accidentally opened possibly compromising data.

In addition to being able to spot a phishing attack, below are four steps you can do to keep your personal information secured.

How to avoid an email phishing attack:
  1. Be suspicious of emails, messages, texts, etc. that urgently request a favor or asks to share personal information.
  2. Think before you click any link in an email. If possible, type the web address directly into your browser instead of clicking links directly from an email.
  3. Regularly update your computer, email, and applications to ensure the latest security patches are applied.
  4. Never share personal information online or through email. If you do need to submit personal data online, make sure the website always starts with “https”. Also, where possible, turn on multi-factor authentication to further secure your account information.
Further secure your office:

For small practices using Microsoft Office 365 and Teams, you can leverage the built-in security and compliance features to combat the constantly evolving cyber security attacks everyone faces in healthcare and beyond. You can read our latest whitepaper HIPAA Compliance for Microsoft Office 365 on what you can do to implement these security features to prevent against attacks.

Like the fish caught during ice-off season, it is my hope that the more phishing attacks you see coming your way, the better you will be able to identify them as fake and not take the bait. It can cost you and your employer a significant amount of money and it could cost you your job.

HIPAA Compliance for Developers

Health and Fitness Mobile Apps

Are you a mobile app developer who’s developing a healthcare-focused mobile app? If you answered yes, then you need to know what HIPAA is and why you need to be HIPAA compliant.

While not every health-related app needs to comply with HIPAA rules, those involved with gathering, storing or distributing personally identifiable health information with covered entities, i.e. doctors, dentists, hospitals and health plans, must remain compliant or face severe non-compliance penalties.

What Is HIPAA

HIPAA, developed in 1996, is the acronym for the Health Insurance Portability and Accountability Act. HIPAA’s job is setting the standard to protect sensitive patient data. HIPAA requires business associates and covered entities to safeguard the privacy and security of protected health information, commonly referred to as PHI. Another need-to-know term is ePHI. This stands for electronic protected health information and refers to data that’s saved, transmitted or collected in electronic form.

There are four rules of HIPAA: the Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule. As a developer, the HIPAA Security Rule is the one you need to focus on.

The HIPAA Security Rule is made up of three parts, summarized:

  • Administrative Safeguards — Significant with implementing a compliant HIPAA app and tell you what you’re required to do.
  • Technical Safeguards — Summarize what your app needs to do when handling PHI.
  • Physical Safeguards — Determine who has authorized access to your PHI data and how said data is going to be managed.

If you want your app to be HIPAA compliant, you must follow each of the above safeguards.

Determining If Your App Must Be HIPAA Compliant

When trying to figure out whether or not your healthcare app is compliant with HIPAA or not, you must take into account the following considerations:

Data Security With Mobile Devices

There are several ways a security breach or violation can occur with a mobile device. Some common ways include mobile devices being lost or stolen, users not using passcodes or users using easily cracked passwords. As you develop your mobile app that’s intended to send and/or share patient data, you have to contemplate these possibilities and others so you can do all you can during the development process to prevent your app from being non-compliant. Not everything is in your hands, but you must control what is so your mobile app obeys HIPAA’s Privacy and Security rules.

How To Decide If Your App Needs To Comply With HIPAA

Like was mentioned above, not every health app on the market needs to be HIPAA compliant. As a matter of fact, most don’t. But let’s decide whether or not yours should be.

Your mobile app should be compliant if:

  • It records or shares PHI with a covered entity.
  • It has personal information about people directly identifying them and can be communicated with a covered entity.

Your mobile app doesn’t need to be compliant if:

  • It Lets users access illness or medical reference information.
  • It Permits users to keep track of their diet, weight or exercise habits.
  • It Describes diseases and illnesses.

Mobile App Requirements To Be HIPAA Compliant

If you checked off the bullet points under being compliant, then clearly your mobile app needs to be HIPAA compliant. Here are some things your app must include to be HIPAA compliant, which protects you and your app from severe non-compliance consequences:

  • Encrypt data that’s going to be stored on your app.
  • Make users access PHI securely with unique user authentication.
  • Provide backup measures for data if a device is lost or stolen.
  • Apply consistent updates for the safety and protection of data.
  • Don’t include PHI with push notifications.
  • Don’t use a third party hosting or storing system unless they’re HIPAA compliant and sign a business associate agreement with you.

As a mobile app developer, it’s imperative that you understand HIPAA and its rules and take the necessary precautions to ensure your healthcare app is HIPAA compliant before it’s launched.

Boy Scouts and Business…and HIPAA?

I come from a family with 6 boys, all of which are Eagle Scouts. I’ve used many skills I learned from Boy Scouts in my travels across the globe.    From Heli-skiing in Alaska, caribou hunting with a bow in the vast tundra of Quebec to roaming the streets of Jerusalem.  Each skill I learned in Scouting has been put to the test at one point or another in my life.

For the last 16 years I’ve served as a volunteer Scout leader in the Boy Scouts of America and have tried to give back to the youth by teaching them the lessons I feel will help them be successful in all facets of life. Sitting at the top of the list is being prepared. Whether it’s being prepared physically and mentally to weather a storm and build a shelter for safety or being prepared to communicate with someone in another language or being prepared to be honest in business dealings with others.

Being prepared is the Boy Scout motto. “Be prepared for what?” someone once asked Robert Baden-Powell, the founder of Scouts, to which he replied, “Why, for any old thing.”

I am shocked in my professional career that this simple mantra of being prepared is not more readily observed. I’ve had conversations — too many to list — with providers and CIOs making statements indicating they were comfortable participating in the CMS Meaningful Use incentive program and receiving large incentive funds without properly understanding what they’re committing to.  That is scary!

I recently became aware of a covered entity that received close to 1 million dollars from CMS as a participant of Meaningful Use, yet upon inquiry from Figliozzi to produce the Security Risk Analysis required by the HIPAA Security Rule they were unable to do so.

In an email addressed to them the concluding remarks stated, “If the aforementioned meaningful use criteria are not met, the incentive payment will be recouped.”  Yikes!  Our experience has shown that many hospitals and clinics are running on a 60 to 90 day cash runway. Returning funds of this magnitude with such minimal operating capital could result in unfortunate consequences.

When will the phase 2 audits begin?  OCR will begin phase 2 audits in October 2014 and will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses as their focus.  These entities will have two weeks to respond to the OCR’s request.  OCR will only consider current documentation that is submitted on time.  Failure to respond could result in a more in depth compliance review.

In the spirit of being prepared, here are 2 simple steps to help get your organization started in its preparation for an audit.

#1 Dig up and dust off your Security Risk Analysis 

  • Can you find it?
  • Is it up to date?
  • Have you been working on the gaps in compliance identified for remediation?

If you checked the box and did not conduct a proper SRA, then beware! There are many who have simply checked the box that an assessment has been done at the facility without understanding the rigor and liability of what is being asked by CMS. We are finding that some providers would rather roll the dice when it comes to an audit of their HIPAA Security risk assessment. According to CMS, 68% of those audited fail because they have not conducted an SRA or have done it incorrectly. This is not a matter to be trifled with. If a provider fails even this one measure of HIPAA compliance, CMS will recoup the entire amount. It’s all or nothing.

#2 Designate a HIPAA Security Officer

Designate someone to be your HIPAA Security Officer to avoid confusion on who should own the responsibility for overseeing the risk assessment process and ensure HIPAA compliance protocols are followed in the organization. The former will include gathering and storing information from several parties. A typical Security Risk Analysis includes information gathered and aggregated from the HR Director, EMR Administrator, IT Network Manager, Facilities Manager, IT Server Manager and HIPAA Security Officer. Using this approach, specific role-related questions are answered by each of the parties aforementioned.

Here’s a good example: An IT Network Manager is asked, “Has your organization performed an external (i.e. Internet) server and network vulnerability scan on your Internet-facing devices in the past year?” If their answer is yes, then they are asked to supply supporting documentation. If their answer is no, then a threat, likelihood and impact are identified and a high, medium or low risk is associated to that question with a remediation task for later fulfilment. A follow-up question would be, “Were there any critical and/or high risk vulnerabilities discovered in the vulnerability scans?” CMS is not only looking to see that you completed a Security Risk Analysis, but that you are working on remediating items deemed high risk.

When it comes time to present on the current state of compliance in your organization, having one point of contact organizing this information helps keep all parties on task and working toward HIPAA compliance.

Be warned when a CMS, OCR or government-sponsored inquiry occurs and Security Risk Analysis documentation is requested. Answering the questions, “Where is it and who has it?” with “not me” won’t cut it and will result in your organization returning your incentive payment. The phrase “not me” isn’t just a fictional character in the family circus cartoon. It’s a human condition in the brain designed to absolve one’s self of any duty, accountability or responsibility in a particular situation one prefers not to be inserted into. Replying “not me” could cost your organization millions of dollars in fines and embarrassment.

The best way to be prepared to survive a Meaningful Use audit or other government inquiry is to show compliance through organized documentation, processes, policies and procedures.  Resources are readily available, so find the best Boy Scout in your office, dub them with the title of HIPAA Security Officer and get to work! And remember, compliance is NOT a destination but a journey. Enjoy the journey!