In the United States, healthcare phishing emails are being sent in increasing volume by cybercriminals looking for an easy entry point into insurance and healthcare providers’ networks. Healthcare employees are now being targeted with spear phishing emails as they are seen to be the weakest link in the security chain, resulting in HIPAA compliance breaches.

It is after all, much easier to gain entry to a healthcare network or EHR system if malware is installed by nurses, physicians, or administrative staff than it is to find and exploit server and browser security vulnerabilities. It is even easier if a member of staff can be convinced to divulge their email account or network login credentials. Hackers and cybercriminals are devising more sophisticated healthcare phishing emails for this purpose.

Clever healthcare phishing emails could fall any number of staff members

Even well trained IT security professionals have been fooled into responding to phishing scams, so what chance do busy physicians, nurses, and members of the billing department have of identifying healthcare phishing emails?

According to the Department of Health and Human Services’ Office for Civil Rights (OCR), employers will be held responsible if their staff fall for a phishing email, unless they have taken proactive steps to reduce the risk of that occurring.

This week, OCR announced it arrived at a settlement with University of Washington Medicine for a 90,000-record data breach that occurred as a result of staff falling for healthcare phishing emails. The settlement involved UWM paying OCR $750,000.

Small to medium-sized healthcare organizations could also be fined for members of staff accidentally installing malware. UWM may be able to cover such a substantial fine, but the average 1-10 physician practice would be unlikely to have that sort of spare cash available. Such a penalty could prove to be catastrophic.

Why was such a heavy fine issued?

The issue OCR had with UWM was not the fact that a data breach was suffered, but that insufficient efforts had been made to prevent the breach from occurring. U.S. healthcare legislation requires all healthcare organizations to conduct a comprehensive, organization-wide risk assessment to identify potential security vulnerabilities. In this case, University of Washington Medicine had not done this. A risk assessment was conducted, but it did not cover all subsidiaries of the organization, in particular, the medical center whose employee was fooled by the phishing email.

Healthcare phishing emails are such a major data security risk that efforts must be made to reduce the risk to an acceptable level. Had a risk assessment been conducted, the phishing risk would have been identified, and action could have been taken to prevent the breach.

OCR would not expect organizations to always be able to prevent employees from responding to healthcare phishing emails. OCR does expect healthcare organizations to make an effort to reduce risk, such as advising staff members about the threat from healthcare phishing emails, in addition to providing basic data security training at the very least.

Addressing the data security risk from healthcare phishing emails

Since the risk of cyberattack via phishing emails is considerable, healthcare organizations of all sizes must take proactive steps to mitigate the risk of employees falling for the email scams. Staff members must be informed of the very real danger from phishing, and the extent to which cybercriminals are using the attack vector to compromise healthcare networks.

They must be told to be vigilant, as well as being instructed what to look for. Training on phishing email identification must be provided, and in order to satisfy auditors, a signature must be obtained from each member of stall to confirm that training has been received.

Staff members should also have their ability to identify healthcare phishing emails put to the test. They should be sent dummy phishing emails with email attachments and fake phishing links to see if they respond appropriately. If they respond incorrectly after training has been provided, further help with phishing email identification must be given. These processes should also be documented in case auditors come knocking.

Due to the considerable risk of a healthcare phishing attack, and the ease at which networks can be compromised, additional protections must also be employed.  Small to medium-sized healthcare organizations that can ill afford a regulatory fine should make sure automated anti-phishing solutions are put in place.

These protections do not need to be expensive. There are cost effective solutions that can be employed that will reduce risk to a minimal and acceptable level. If training is provided and anti-phishing controls have been employed, OCR and other regulatory bodies would be less likely to fine an organization if a phishing-related data breach is suffered.

Deven McGraw, OCR Deputy Director for Health Information Privacy, recently pointed out that it is not possible to totally eliminate risk, but it is possible to reduce risk to an acceptable level. That is what OCR wants to see.

Automated solutions to reduce risk from healthcare phishing emails

To reduce the risk of members of staff responding to phishing campaigns, a powerful email spam solution must be implemented. Anti-spam solutions such as SpamTitan are cost-effective, easy to configure and maintain, and will block 99.98% of all spam emails. If phishing emails are not delivered, staff members cannot respond to them.

An anti-spam solution will not stop members of staff visiting malicious websites when surfing the Internet. Links to these malicious websites are often located in website adverts, on legitimate sites that have been hijacked by hackers, or contained in social media posts. To protect networks from these attack vectors, a web filtering solution should be employed.

WebTitan blocks users from visiting sites known to host malware. The anti-phishing solution can also be used to restrict Internet access to work-related websites. This will greatly reduce the risk from drive-by malware downloads and phishing websites.

Access rights can be configured on an organization-wide level to block malware-hosting sites. Group level privileges can be set to prevent social media networks from being accessed, for example. This control allows certain groups to have access to social media networks for work purposes, while reducing risk that comes from personal use. Individual access rights can also be set if required.


Provide training to the staff, block email spam and phishing emails from being delivered, and implement a web filter to manage web-borne risks, and not only will it be possible to keep networks and email accounts secure, heavy regulatory fines are likely to be avoided.