Recently, the Office for Civil Rights (OCR) resolved a breach investigation that began with a phishing email. Phishing emails lead to attacks on networks, when authorized users receive an email that appears legitimate. When the users click a link in the email, it launches malware.
Staff training on recognizing phishing emails is important and should be a part of your security awareness training.
Lessons learned from this OCR case reaffirm that covered entities are often failing to meet the most basic requirements of the HIPAA Security Rule — conducting a security risk analysis and developing a risk management plan to address issues discovered. In this case:
- The covered entity failed to conduct a risk analysis until after the security incident.
- Consequently, the covered entity had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.
- When the covered entity conducted a risk analysis, it was insufficient to meet the requirements of the Security Rule.
As part of the Resolution Agreement the covered entity agreed to:
- Conduct a Security Risk Analysis after obtaining approval of their plan by Health and Human Services (HHS).
- Develop a Risk Management Plan.
- Review and Revise Policies and Procedures.
- Review and Revise Training Materials.
Additionally, the HHS required the entity to provide Security Rule training to its employees within 30 days of the Resolution Agreement and again every year. New employees would be required to complete training within 30 days of their hire date. This training requirement was far more prescriptive than the training requirements found in the Security Rule itself.
For more information about security risk analysis or cyber risk management, please contact our Product Development and Consulting Services team.
To learn more about email phishing and email fraud, read our SlideShare presentation, What Every Physician Needs to Know: How to Detect Email Fraud.
About the Author
Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Representative. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at firstname.lastname@example.org.More Content by Cathy Bryant