ÐÇ¿ÕÈë¿Ú

Don't be surprised that this old trick still works.

You may think that only high-tech solutions can help your lab protect against Health Insurance Portability and Accountability Act (HIPAA) breaches, but the truth is that simple staff education may help save the day.

Here's why: One portal to your data is still the good-old phishing attack, which involves a malicious communication disguised as a trustworthy source in an attempt to gain access to your system and steal information. In fact, emails were the cause of 13 healthcare organization HIPAA breaches in one recent month, impacting more than 150 thousand individuals, according to the HHS Office for Civil Rights (OCR) Breach Portal (). Seven of those breaches involved unauthorized access or disclosure by personnel.

Identify the Threat

Email has been around for a long time, so it's easy to assume that your staff understands the nuances of spam, junk, or malicious threats that could corrupt your lab's network. But the rise in email attacks highlights that not all healthcare workers fully understand the implications.

"Although there has been a lot of recent publicity about external threats to the information systems of healthcare providers, covered entities need to also consider and proactively address threats from within their organization," such as their employees and contractors, suggests healthcare counsel Elizabeth Hodge, Esq. and partner attorney Carolyn Metnick, Esq.with Akerman LLP.

That doesn't mean threats that your staff might take patient information, but threats that your staff might be vulnerable to practices such as phishing.

Insight: Many high-level employees including managers, clinical staff, and administrators are often the most at-risk for attack in a phishing practice known as "whaling." Social engineers oftentimes use another tactic called "spear phishing" too, which targets vulnerable or novice staff who unwittingly click and unleash chaos.

Follow Expert Tips to Secure Email

You can help avoid having your system hijacked through phishing by following a few simple steps. In a health law blog from Ogden, Murphy, Wallace Attorneys in Seattle, attorney Casey Moriarty, Esq. offered the following tips:

• Watch staff emails: A staff member who clicks on a link in an email or responds to an email from hackers who pose as security personnel could result in unknowingly installing the malware.
• Check with IT: When staff members are in doubt about a suspicious email, phone call, or other communication, instruct them to always check with your IT personnel and your HIPAA privacy officer before taking any action.
• Use encryption: Consider employing encryption technology that meets the HIPAA breach safe-harbor standards to avoid or mitigate this type of breach.

"Also consider your workforce's privacy knowledge," Hodge and Metnick add. "Many employees do not know how to identify socially engineered emails or » other security threats. Employees should be trained on identifying socially engineered emails."

"Fix your people. They are prone to human error," agrees compliance expert Brand Barney, CISSP, HCISPP, QSA, a security analyst with Security Metrics in Orem, Utah.

Resource: For a look at the OCR's Cybersecurity Newsletter on phishing, visit .