Copyright:  / 123RF Stock Photo
Copyright: / 123RF Stock Photo

Two recently reported breaches of hospital data affecting thousands of patients highlight the prevalence, and apparent success, of phishing attacks.  Boston-based Partners HealthCare notified approximately 3,300 patients after a group of staff members were tricked by a phishing scam, and Indiana-based St. Vincent Medical Group, a 20-hospital system that is part of Ascension Health, reported a breach affecting nearly 760 patients that resulted from a phishing attack that involved a single employee’s email account.

The Department of Health and Human Services (HHS), Office of the Chief Information Officer, published an “Information Systems Security Awareness Training” document for FY 2015 that is simple to follow, has easy and useful tips, and even includes enough pictures and graphic images to make what could be dull cybersecurity lessons visually stimulating (the kitten fishing photo comes from page 34).

The phishing-avoidance tips from HHS may seem obvious, but are worth regular review with covered entity and business associate staff that use company email accounts:

NEVER provide your password to anyone via email

*     Be suspicious of any email that:

    — Requests personal information.

    — Contains spelling and grammatical errors.

    — Asks you to click on a link.

    — Is unexpected or from a company or organization with whom you do not have a relationship.

*  If you are suspicious of an email:

    — Do not click on the links provided in the email.

    — Do not open any attachments in the email.

    — Do not provide personal information or financial data.

    — Do forward the email to the HHS Computer Security Incident Response Center (CSIRC) at csirc@hhs.gov and then delete it from your Inbox.

Although HHS’ CSIRC undoubtedly does not want a barrage of emails from non-government entity staff reporting potential phishing attacks, a covered entity or business associate should articulate a similar process for staff to follow when a suspicious email is identified.

Bill Maruca, a Fox Rothschild partner and editor of this blog, added the following tips for recognizing potential phishing emails:

* Be suspicious of any email that:

— Includes multiple other recipients in the “to” or “cc” fields.

— Displays a suspicious “from” address, such as a foreign URL for a U.S. company or a gmail or other “disposable” address for a business sender.  However, even when the sender’s address looks legitimate, it can still be “spoofed” or falsified by a malicious sender.

Bill points out that he has noticed these indicators in phishing emails in the past, even those that otherwise looked like they came from official sources.