Phishing Email Disguised as HIPAA Audit Notification
On November 28, 2016, the U.S. Department of Health and Human Services issued an alert that a phishing scam email is being circulated on mock HHS departmental letterhead under the signature of Jocelyn Samuels, director of the Office of Civil Rights.
This email, which appears to be an official government communication to HIPAA covered entities, prompts recipients to click a link regarding possible inclusion in the HIPAA audit program. The link connects to a non-governmental website marketing a firm’s cybersecurity services.
HHS warns covered entities that this is a serious misuse of government authority. In the event that your organization has a question as to whether it has received an official communication regarding a HIPAA audit, HHS asks you to contact it directly via email at OSOCRAudit@hhs.gov.
Hospitals aren’t the only facilities at risk. Private practices, which typically do not have onsite IT personnel, are vulnerable to ransomware and other attacks by hackers.
Bloomberg reveals how it’s not as hard as it should be for hackers to crash – or manipulate – equipment and devices in the hospital or office setting. These included not only phones and printers but also magnetic resonance imaging scanners, ultrasounds and ventilators. So who's responsible?
All healthcare related entities should periodically complete a system-wide risk analysis, implement a risk management plan and strengthen internal policies and procedures to mitigate, if not eliminate, the possibility of such an event from occurring. As highlighted by this case, such risk analysis must take into account computers and devices used by employees both in and out of the office or facility.