Last week we published an article that Prestera Health was breached due to a vulnerability in their email system. This Week Jefferson Healthcare in Port Townsend, WA experienced a breach related to their email system.
In this case the breach was due to a PHISHING ATTACK.
A Phishing attack is a bad actor sending emails that trick a user into clicking on a link. Clicking on the link can lead to malware being installed on the user’s computer, it can bring the user to a scam website that looks like a valid website where the user puts in their personal credentials giving the bad actors the ability to log onto systems and commit identity theft.
In this case the phishing attack gave the hackers access to the email account of the employee who clicked on the link. As a result of the hackers getting access to this email address over 2500 individuals had their personal health information exposed or breached.
According to Jefferson Healthcare potentially exposed information may have included full names, dates of birth, phone numbers, home addressed, diagnosis and treatment information, social security numbers and other financial information.
Jefferson Healthcare reports that the breach is limited to data in the email system and did not extend into the Electronic Medical Record.
There are a number of issues and concerns that a breach of this nature forces us to consider
- Why was there unencrypted patient information in an email system?
- Patient information should not be sent via email in an unencrypted manner. If you need to email patient information the best practice is to encrypt the documents and sent the patient information as an encrypted attachment. If that had been the practice of Jefferson Healthcare, the information that was accessed by the hackers would have been encrypted and the information would not have been exposed to the hackers
- When sending an encrypted attachment, you need to send a decryption key – this is the ‘password’ the person has to enter to open the encrypted document. The decryption key should be sent in a different manner. It should not be sent via email. If somebody had access to an email account and can get both the encrypted document and the decryption code they can easily open the document. So send the decryption code by text, fax, or phone call. This is known as out of band transmission. In this way the person receiving the document has everything they need to open the document but a hacker who gets access to the email account cannot open the document.
- How did the email get through the security filters at the hospital?
- You need to make sure that your antivirus software is monitoring your email system to prevent malicious attachments from getting to users of your system
- You should have your spam protection set up on your email system to identify and sequester potentially dangerous email before it gets to the end user
- Both of these systems will reduce the number of malicious emails that are seen by the people in your organization but neither method is fool proof.
- Why did the person click on the malicious link?
- With the Antivirus and Antispam set up, some emails will make it through. We are all constantly getting emails that try to trick us into downloading malicious attachments or visiting malicious websites. Part of annual HIPAA training needs to include education about social engineering and phishing
The important take away lessons from this event are:
Make sure that if you are going to send patient information via email it is important to always send that information as an encrypted email and to send the decryption key separately in a different manner so that the hackers cannot decrypt the documents.
Make sure that your antivirus is turned on and is set to scan all emails and all email attachments
Make sure your email service has anti-spam turned on to sequester potentially malicious emails so that the chance of a user clicking on a malicious link is minimized.
Provide all members of your workforce with training on Social Engineering so that they are aware of what to look for and what to avoid so that they do not make the same mistake the person at Jefferson Healthcare made.
One final thing you can do is to do a simulated Phishing Attack on your workforce. See who is tricked into clicking on the malicious link and then provide follow up education to your staff. Regular training and follow up with simulated phishing attacks are a great way to minimize the possibility of your staff falling for these types of scams.
To see the press release from Jefferson Healthcare CLICK HERE
Read Comments