Spoofing, Phishing, and how to avoid getting caught in the middle

After attending the Office for Civil Rights (OCR) annual webcast, many things were confirmed that we thought may have been rumors. First of all, medical offices are targets of hacking because you hold everything needed for identity theft.

What is identity theft? Most people think of it as their credit card being stolen, or even their tax returns. True, that is identity theft but there is also another component that is not often talked about. That is, assuming someone else’s identity for health care purposes. Imagine someone assumes your identity and has a surgery and “corrects” your medical record and changes your blood type. Then, you are involved in a car accident and receive a blood transfusion but it’s the WRONG blood. Yes, this can happen. We are not sure how often, but with the rise of medical records being stolen we could see this happen more often. Knowing where your data is located and how it is stored is a starting point in protecting this valuable information. Conducting a risk analysis and having an ongoing risk management is mandatory under HIPAA. During this process you will uncover potential vulnerabilities. Once you mitigate these risks, you may be able to avoid a data breach.

Protecting yourself and your organization is one in the same. Practice these safety tips at work and at home:

  • Make sure your operating system updates are current as well as your anti-virus and anti-malware.
  • Scan for viruses and malware after every update.
  • If you use personal devices to access ePHI or work files, be sure to use enterprise versions of anti-virus and anti-malware. Free versions typically are not robust enough.
  • NEVER use free Wi-Fi even if you are not accessing any patient information. You could pick up malware from someone that has spoofed the Wi-Fi network that you thought you were logging into.
  • NEVER click on links within emails that claim to be urgent or a free offer of some type. Typical phishing expeditions start in this manner. After you click, they ask for certain information they are lacking about you or they may ask for everything! Sometimes, this is merely a tactic to get you to go to a certain website and place malware on your computer and you never even know it.
  • NEVER click on a link within an email asking you to verify your identity. You wouldn’t show a stranger on the street your driver’s license just because they asked to see it, then why would you “verify” your identity with someone invisible in your email? Again, this is how spear phishing starts.
  • NEVER click on an attachment within an email unless you are expecting it, even if you know the person that sent it. Their email could have been hacked and you are being spoofed into thinking it is from them. This includes messages from FedEx, UPS, and the IRS. Best practices is to open your web browser and go to their website and sign in.
  • NEVER click on links in text messages unless you are expecting one, such as you just signed up for text messages from a service provider. Bank customers are being spoofed into clicking on links in text messages and taking you to what looks like your bank. Guess what… it’s NOT your bank but looks like it!

I have said this before… the World Wide Web (WWW) is the new Wild Wild West. The only difference is, in the old wild wild west you could see danger coming on the horizon and prepare. The World Wide Web, the dangers are there, but they are invisible.

Be safe out there!

To find out more about how our automated HIPAA compliance platform can help your organization click here:


Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Passwords – why you need to change them and not reuse previous ones!

Just as the eyes are the window to our soul, passwords are the gateway to our inner most kept secrets.
Passwords are used to gain access to YOUR information, but what happens when your passwords are responsible for other people’s information? Did you know that by having your email hacked, you could potential expose not only your personal information but that of others?

Recently, I receive a text from a friend of mine saying “LOL, your email was hacked, just got a fake email from you!” Since she knows that I work in medical offices and with HIPAA compliance, she thought this was funny. However, the problem was, it was HER email that was hacked and they spoofed my address in hopes that she would fall for it. This is just one of the many ways that hackers “get in”. Some hacks start with this type of phishing email that someone falls for, depending on the hackers intentions… the sky’s the limit!

Did you know that a hacker that could get into your email would have the ability to change your access codes to many different resources and you not even know it? Many sites verify your identity through your email address. For instance, if you use the same password across different platforms, once they gain access to your email, they can try that password on other sites. Then they can change YOUR credentials and even change banking information.

So.. what can you do to protect your information and that information that you are responsible for…

Here are some suggestions that you may use. Maybe not all of them, but incorporate as many as you can.

  1. Use STRONG passwords, preferably pass phrases.
  2. Change them at least them at least every 90 days.
  3. Do not share your passwords.
  4. Do not use the same password/phrase phrase across multiple platforms.
  5. Do not reuse the same passwords.
  6. Enable two step authentication wherever offered.
  7. Utilize an encrypted file and copy/paste passwords instead of typing them each time.
  8. Make sure the network that you are accessing information from is secure.

Although nothing in this day is 100% safe, by simply adding a few precautionary measures you can protect yourself and the patient information that you are responsible for as much as possible!

If you would like to schedule a HIPAA training course customized to your facility, or if you need to update any of your HIPAA security needs call 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Cost of cyber attacks on healthcare are steadily rising

Why are so many medical offices being attacked? Simple, this is a one stop shop for everything needed for identity theft and many medical practices do not have appropriate safeguards in place. Business associates have even been the target or the entry point. HIPAA requires certain security safeguards to be in place to ensure the safety and security of Protected Health Information (PHI).

There have been 188 data breaches of 500 or more patient records in the first 6 months of this year, and in April alone there were 42. Thirteen of the 188 have already been resolved. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
These breaches include small medical practices, business associates, and hospitals. Small and large. Paper and electronic. No one is immune. Many organizations think they are too small to get hit, but the fact is the most common problem is untrained staff that unknowingly cause this to happen. Education is the key to avoiding this catastrophe from destroying your reputation. Of course you still need to certain technical safeguards in place, but even then it only takes one click of a mouse to bring your network down.

Here are some areas to consider:

  1. How would you process a data breach?
  2. How would you handle the reputation management of the breach?
  3. How would you pay for the cost of breach and the investigations?

Having a breach notification plan in place before a breach occurs is critical to reducing the damage. You must have processing in place to shut the system down, continue manually, and report to the appropriate authorities.

Consider the lack of trust from your patients since their information was compromised from your office. No matter if it was your fault or that of a business associate this could have a negative impact on your patient database.

Breaches are costly on many fronts, the first being the cost of the notification of the patients, investigations, downtime, and the mitigation of the source of the breach. In 2013 the Ponemon Institute reported that a data breach cost $233 per medical record, now in the 2018 the report states a healthcare breach can cost on average $408 per medical record.

Keep in mind if you do not know which records were breached then everyone must be included in the notification process. What could turn out to be the most costly is the fines and penalties associated with the breach. Depending on how and when you processed the breach is one determining factor. Also once the investigation is complete, if it is discovered this was an ongoing problem and was not mitigated, then you could be found in willful and wanton neglect. This is NOT a place you want to find yourself! The Office for Civil Rights (OCR) can also fine you for not conducting a thorough enough risk analysis thus leaving vulnerabilities untouched. How well do you trust your efforts in securing your data? Have you conducted a risk assessment to determine if what you have in place is sufficient?

How can Aris help?

  • First of all we conduct a thorough risk analysis that uncovers vulnerabilities and create a risk management plan so that you can mitigate those risks.
  • Since written documentation is also part of HIPAA compliance, we provide the necessary privacy and security policies, procedures, and documentation needed for state and federal regulatory requirements.
  • We also offer HIPAA training that includes privacy and security and any custom requests.
  • If you are one of the many organizations that simply do not have the time to implement your HIPAA program, we can do that for you as well. Month to month, no long term contracts!

If you would like a free HIPAA checkup call 877.659.2467 or complete the contact us form.

“Simplifying HIPAA  through Partnership, Education, and Support”

Software Patches and Updates – Why they are so important.

Whether you work in a medical office or are a business associate, they all rely heavily on the software they use for patient care. The reason software developers send out periodic updates is because more than likely a vulnerability has been discovered and the “patch” or “update” will mitigate the issue. Vulnerabilities come in a variety of types including electronic health records (EHRs), operating systems, custom software, databases, email, and even Java and Adobe Flash. Each program will have its own type of vulnerabilities. Unpatched software poses to a threat to ePHI and updating is required under HIPAA. Routers, phones, servers, and even some refrigerators have firmware that must be updated as well.

When discussing routers, it is important to mention that all routers come with default settings, including a username and password. These must be changed, otherwise they can be hacked. Routers also need to be rebooted or reset sometimes, depending on the type of vulnerability that has surfaced. Malware can infect not only your phone and computers, but also your router. It is imperative that you have an experienced IT professional that is current on these issues. Long gone are the days of plug and play. Although it is not difficult to set up a computer or a network, securing it is a whole new game.

Even if you utilize a cloud based system, the devices you use to access your system can be compromised. If you haven’t done so already, you should invest in a qualified IT vendor that will secure and monitor your computers and network. The data that your patients have entrusted you with is sought after in many areas. It is required under HIPAA to have reasonable and appropriate safeguards in place, but besides that… it’s the right thing to do!

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Simplifying HIPAA through Partnership, Education, and Support”

©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC