Even experts may narrowly avoid falling for phishing scams. Josh Black, a principal security analyst with Orem Utah’s Security Metrics, received an email giving him a number to call to receive a voicemail from the local police department. It appeared to know which voicemail system he used and had legitimate information that made it seem like it was real. But before clicking on the link, he thought for a moment and realized there was no reason he should be receiving an email from the police.

“But I bet a lot of people clicked on it,” he said. “There are so many phishing emails out there that if they even lure in 1% [of recipients], it’s all over.”

That is what happened at NCH Healthcare System based Naples, Florida, in June. Seventy-three of the organization’s 5000 employees clicked on a phishing email allowing hackers to get into email accounts. The hack was detected after the system’s staff noticed activity in its payroll system. An investigation is ongoing to determine if protected health information (PHI) was accessed.

Even if PHI was not breached, the organization has not gone unscathed. They had the cost and inconvenience of an investigation. Local and national news reported on the incident. Although there may be no HIPAA liability, good HIPAA training and improved security practices may have helped avoid the hack.

They just keep on clicking

The first phishing attempts can be traced to an AOL attack in the 1990s. After more than 2 decades, people are still unable to resist clicking, and spammers are becoming increasingly more sophisticated, according to Elizabeth Litten, a partner and HIPAA privacy and security officer at Fox Rothschild LLC in Princeton, New Jersey. Receiving notes from a crown prince seeking to give you a $1 million if you respond to an email are getting rarer. Today’s phishing emails have better grammar and come from what look to be trusted sources like co-workers or family members.

A survey by Datapac, a technology company based in Dublin, Ireland, found that 14% of Irish office workers (about 185,000 people) had fallen for a phishing scam. The survey found that millennials were the most confident in their ability to detect phishing emails. Ironically, however, they were more than twice as likely to have clicked on one (17%) than Baby Boomers (7%) or Generation Xers (6%).

Not always PHI

Hackers’ interest in gaining entry into an organization’s computer network may have nothing to do with PHI. Black points to the 2014 hack of The Home Depot, where the company’s system was breached when hackers used stolen credentials from a third-party vendor. Once in the system, the hackers navigated until they reached point-of-sale devices. Once there, they lifted credit card information and emails.

Hackers are not always looking for information to sell on the “dark web.” They may be working to get employee lists or vendor information. According to Litten, attackers can linger and determine who the key players are, and then impersonate someone like a CEO asking to divert a payment or get a payroll list.

As in the NCH case, this can have consequences aside from a report to the U.S Department of Health and Human Services. NCH must now take excess measures to keep their system safe.

“The CEO’s job is to make sure the company looks good, so the top of his radar for the next 2 to 5 years is going to be cybersecurity, and it will cost a lot of money,” Black said.

Do not be a victim

Though human error is impossible to avoid, there are a host of ways healthcare providers can help lower the odds that staff will fall for scams. Some easy technical controls can be implemented to make systems safer. First, Black recommends choosing a large service provider like Microsoft Office 365 or Google’s G Suite. These have built-in solutions that eliminate a lot of phishing attacks and can alert users to suspicious emails.

Another option, he says, is putting access controls in place. These only allow people into areas required for them to do their jobs. Controls limit the information available to hackers should a breach occur. 

Black also recommends working with a security company that offers simulated phishing attacks. These groups send fake phishing emails and report how many people, and who, clicked on them, and set up training for those who did the clicking.

Preventing phishing attacks does not always involve technologic solutions. Companies can train employees to recognize telltale signs, such as:

  • Emails that typically try to rush someone into an action.
  • Emails sent in the last quarter of the year because hackers are trying to file fraudulent tax returns.
  • Unusual or unexpected instructions or changes in pattern like sending a payment to an unusual account number.
  • Emails asking for account numbers or password changes.
  • Abnormal email addresses of the sender, such as those that do not correspond with the sender’s purported organization.

Lastly, organizations should create a culture in which employees are comfortable asking questions. “Tell them it is a legitimate, expected and good question and reward them as opposed to saying, ‘Of course it’s a scam, you are wasting my time.’” Litten said. “You can use it as an opportunity to share with others by saying, ‘Thankfully, one of your alert colleagues caught this so please don’t fall for it.’”

In addition, organizations should make sure staff members call a security officer if something seems amiss.