Healthcare Cybersecurity

Study Reveals 75% of Employees Lack Security Awareness

Posted by HIPAA Journal

For the past three years, security awareness training company MediaPRO has conducted an annual study of employees’ security awareness and knowledge of cybersecurity best practices.

The study measures the susceptibility of employees to a wide range of security threats and assesses their ability to identify phishing threats, possible malware infections, and cloud computing and social media risks. Their knowledge of best practices concerning physical security, working remotely, and reporting security incidents is also tested.

This year, 1,024 employees from 7 industry sectors took part in the State of Privacy and Security Awareness study and were asked questions relating to all of the above aspects of privacy and security.

MediaPRO assigned each participant a category based on the percentage of questions they got right:

  • Hero – An individual with an excellent understanding of security and how to protect assets.
  • Novice – Someone that has a reasonable understanding of the basics of security but needs to improve their knowledge in key areas.
  • Risk – An individual whose lack of understanding of threats and best practices represents a considerable risk to their organization.

This year, there was an improvement in the number of employees who ranked as hero – 25% of those taking part in the study. However, 75% of employees lacked security awareness to some degree and answered fewer than 90% of the questions correctly.

The figures are considerably worse than last year across the board. In 2016, only 16% of employees were rated as risks. In 2017, the percentage increased to 19%, and this year 30% of employees were rated as a risk. The percentage of heroes also fell year-over-year from 30% in 2017 to 25% in 2018. 45% of participants were rated as novices this year, down from 51% in 2017.

Employees were worse than last year at reporting suspicious activity, identifying physical security risks, cloud computing security, identifying personal information, identifying malware infections, and identifying possible phishing attempts. A quarter of employees took risks when working remotely and while on social media sites, compared with one of respondents fifth last year.

Employees in management roles or higher performed worse than workers in lower positions. 77% of managers (and above) were found to lack security awareness compared to 74% of lower workers.

One of the most worrying findings was the failure of employees to identify phishing emails, given the increase in phishing attacks in recent years. In 2017, 8% of employees got phishing questions incorrect. This year, 14% of employees failed to answer the questions correctly.  There was also a lack of understanding email threats, in particular Business Email Compromise (BEC) scams, which 58% of employees failed to correctly define.

While 8 out of 10 employees were able to identify phishing emails in the test, 18% chose to open an unexpected attachment or click on a link in an email from an unknown sender to find out where it went. Worse still, finance employees were the most susceptible to phishing attacks based on the assessments.

“The lack of awareness when it came to phishing emails was particularly troubling,” explained MediaPRO in the report. “We put more of a focus on phishing this year because of the massive thorn in the sides of IT managers and CISOs it represents. The added focus given to phishing in our survey unfortunately revealed additional weaknesses.”

The 2018 State of Privacy and Security Awareness Report can be downloaded on this link.

The post Study Reveals 75% of Employees Lack Security Awareness appeared first on HIPAA Journal.

September 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February.

Healthcare data breaches April to September

There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018.

Causes of September 2018 Healthcare Data Breaches

In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents.

September 2018 Healthcare Data Breaches - Causes

While there were fewer hacking/IT incidents than unauthorized access/disclosure incidents in September, they resulted in the exposure of more healthcare records. Six of the top ten healthcare data breaches in September were hacking/IT incidents.

Ten Largest Healthcare Data Breaches in September 2018

Covered Entity Entity Type Records Exposed Breach Type Location of PHI
WellCare Health Plans, Inc. Health Plan 26942 Unauthorized Access/Disclosure Paper/Films
Reliable Respiratory Healthcare Provider 21311 Hacking/IT Incident Email
Toyota Industries North America, Inc. Health Plan 19320 Hacking/IT Incident Email
Independence Blue Cross, LLC Business Associate 16762 Unauthorized Access/Disclosure Other
Ransom Memorial Hospital Healthcare Provider 14329 Hacking/IT Incident Email
Ohio Living Healthcare Provider 6510 Hacking/IT Incident Email
University of Michigan/Michigan Medicine Healthcare Provider 3624 Unauthorized Access/Disclosure Paper/Films
Reichert Prosthetics & Orthotics, LLC Healthcare Provider 3380 Theft Other Portable Electronic Device
J.A. Stokes Ltd. Healthcare Provider 3200 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
J&J Medical Service Network Inc. Business Associate 2500 Hacking/IT Incident Network Server

Location of Breached Protected Health Information

Over the past few months, email has been the most common location of breached PHI. September also saw a high number of email-related breaches reported – mostly due to phishing attacks – but the highest percentage of breaches involved paper records. There were 9 incidents involving unauthorized access/disclosure of paper records and one theft incident.

Data Breaches by Covered Entity Type

There was a 150% month-over-month rise in health plan data breaches in September, although healthcare providers were the worst affected with 17 healthcare data breaches reported in September 2018. While there were only 3 data breaches reported by business associates of HIPAA-covered entities, a further four breaches had some business associate involvement.

Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in September. Texas was the worst affected with four separate healthcare data breaches in September. There were three breaches reported by healthcare providers in Massachusetts and two reported breaches in California and Kansas. One breach was reported in Arizona, Colorado, Florida, Indiana, Michigan, Nebraska, New Jersey, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, and Wisconsin.

HIPAA Enforcement Actions in September

After two months without any OCR financial penalties, OCR agreed settlements with three hospitals in September to resolve potential HIPAA violations. All three hospitals were alleged to have violated the HIPAA Privacy Rule by allowing an ABC film crew to record footage for the TV show “Boston Med.”

In all cases, OCR determined that patient privacy had been violated by allowing filming to take place without first obtaining patients’ consent. OCR also determined there had been failures to safeguard patients’ protected health information.

Massachusetts General Hospital agreed to a settlement of $515,000, Brigham and Women’s Hospital settled its case with OCR for $384,000, and Boston Medical Center paid OCR $100,000. New York Presbyterian Hospital had already settled its Boston Med-related case with OCR for $2.2 million in 2016.

State attorneys general also enforce HIPAA Rules and can issue fines for HIPAA violations. In September there was one settlement agreed with a state attorney general.  UMass Memorial Health Care paid $230,000 to Massachusetts to resolve alleged HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. In both cases, employees had accessed and copied PHI without authorization.

The post September 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

OIG Publishes 2016 Medicaid Data Breach Report

Posted by HIPAA Journal

A new report released by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed the vast majority of Medicaid data breaches are relatively minor and only affect an extremely limited number of individuals.

For the study, OIG assessed all breaches reported by Medicaid agencies and their contractors in 2016. According to the report, the records of 515,000 Medicaid beneficiaries were exposed in 2016, spread across 1,260 data breaches.

Almost two thirds of Medicaid data breaches reported in 2016 affected a single person with a further 29% of breaches affecting between 1 and 9 individuals. Large-scale breaches, which resulted in the data of 500 or more beneficiaries being exposed, accounted for 1% of the annual total.

While the breach causes were highly varied, the majority of incidents were the result of simple errors such as misaddressing a letter, fax, or email. Those breaches only resulted in a very limited amount of PHI being exposed, such as a beneficiary name and Medicaid or other ID number. Out of the 1,260 breaches only 303 resulted in the exposure of a Social Security number and just 23 involved financial information. Hackers may be responsible for a large percentage of healthcare data breaches, but there were only 9 hacking incidents reported in 2016 that resulted in the exposure of Medicaid data.

Image source: HHS Office of Inspector General

OIG explained that previous reviews have concentrated on identifying vulnerabilities in states’ information systems and controls, which could potentially be exploited to gain access to Medicaid systems and data. This review was concerned with the breach response when security incidents occur. An efficient breach response can limit the potential for harm such as identify theft.

In addition to an analysis of Medicaid data breaches, OIG also assessed the breach response policies and procedures in 50 states and the District of Columbia. OIG discovered a common breach reporting framework has been adopted by the majority of U.S. states, which covers investigations of breaches and their scope, the best way to respond to data breaches, how to protect breach victims, and identifying the actions to take to correct vulnerabilities to prevent future security incidents. OIG also assessed the responses to individual breaches in nine states to gain a better understanding of the breach response processes.

OIG noted that the breach response processes varied slightly from state to state, with all meeting the requirements of HIPAA as well as state-specific laws. While all breaches were reported to the HHS’ Office for Civil Rights to meet the requirements of the HIPAA Breach Notification Rule, many states failed to routinely notify the Centers for Medicare & Medicaid Services (CMS) separately, even though the CMS has required states to do so since 2006.

OIG suggests that this was likely due to the introduction of the HIPAA Breach Notification Rule in 2009.

The failure to report Medicaid breaches directly to the CMS hampers the agency’s ability to monitor data security issues nationally. This can make it harder to identify multi-state data breaches and determine when best practices and guidance need to be issued to correct common data security issues.

To correct the problem, OIG has recommended CMS should issue updated guidance for Medicaid agencies and their contractors and detail the circumstances that warrant a separate breach notification to be issued to the CMS.

CMS concurred with the recommendation, although did point out that the reporting requirements had been made clear in a 2006 State Medicaid Director Letter to Medicaid agencies and contractors.

The OIG report can be downloaded on this link (PDF, 2.1MB)

The post OIG Publishes 2016 Medicaid Data Breach Report appeared first on HIPAA Journal.

CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System

Posted by HIPAA Journal

The Centers for Medicaid & Medicare Services (CMS) has discovered hackers have gained access to a health insurance system that interacts with the HealthCare.gov website and have accessed files containing the sensitive information of approximately 75,000 individuals.

On October 13, 2018, CMS staff discovered anomalous activity in the Federally Facilitated Exchanges system and the Direct enrollment pathway used by agents and brokers to sign their customers up for health insurance coverage. On October 16, the CMS confirmed there had been a data breach and a public announcement about the cyberattack was made on Friday October 19, 2018.

While the number of files accessed only represents a small fraction of the total number of consumer records stored in the system, it is still a sizable and serious data breach. The files contained information supplied by consumers when they apply for healthcare plans through agents and brokers, including names, telephone numbers, addresses, Social Security numbers, and income details.

While the CMS has confirmed that the files have been accessed by unauthorized individuals, it is currently unclear whether any files were actually stolen by the attackers.

The investigation into the cyberattack is ongoing and the CMS is currently working on implementing new security controls to prevent further attacks. The Direct Enrollment system has been temporarily taken offline to allow the security updates to be applied. The CMS expects the system to be offline for about a week. It will be back online for the upcoming enrollment period that commences on November 1.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma.

The CMS notes that the attack only affected the system used by agents and brokers. There has not been a breach of the HealthCare.gov website which is used by consumers to personally sign up for health insurance coverage. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available,” said Verma.

The CMS will be sending notification letters to all individuals whose personal information has been exposed and will be providing further information on the steps they can take to prevent misuse of their data. The CMS will release further information about the breach as and when it becomes available.

The post CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System appeared first on HIPAA Journal.

FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) have announced a memorandum of agreement to implement a new framework to increase collaboration and improve coordination of their efforts to increase medical device security.

The security of medical devices has long been a concern. Cybersecurity flaws in medical devices could potentially be exploited to cause patients harm, and with an increasing number of medical devices now connecting to healthcare networks, it is more important than ever to ensure adequate protections are in place to ensure patient safety and threats are rapidly identified, addressed and mitigated.

Medical devices are a potential weak point that could be exploited to gain access to healthcare networks and sensitive data, they could be used to gain a foothold to launch further cyberattacks that could prevent healthcare providers from providing care to patients. Vulnerabilities could also be exploited to deliberately cause harm to patients. While the latter is not believed to have occurred to date, it is a very real possibility.

Both the FDA and DHS are aware of the threat posed by medical devices and have working to strengthen cybersecurity. The two agencies have collaborated in the past on medical device cybersecurity and vulnerability disclosures, although the new agreement formalizes the relationship between the two agencies.

The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” explained FDA Commissioner Scott Gottlieb, M.D. “But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone.”

Under the new agreement, information sharing will be increased between the two federal agencies to improve understanding of new medical device security threats. When vulnerabilities are discovered, both departments will work closely together to assess the risk that the vulnerabilities pose to patient safety. The agencies will also coordinate the testing of the vulnerabilities.

By working more closely together, the two agencies will be able to eliminate duplication of activities and will be able to work more efficiently at identifying and mitigating threats. “Through this agreement, both agencies are renewing their commitment to working with not only each other, but also all stakeholders to create an environment of shared responsibility when it comes to coordinated vulnerability disclosure for identifying and addressing cybersecurity risks,” wrote the FDA.

DHS will remain as the central coordination center for medical device vulnerabilities through the National Cybersecurity and Communications Integration Center (NCCIC), which will continue to be responsible for coordinating information sharing between medical device manufacturers, security researchers and the FDA.

The FDA’s Center for Devices and Radiological Health will use its considerable technical and clinical expertise to assess the risk vulnerabilities pose to patient health and the potential for patients to come to harm from exploitation of vulnerabilities. This information will then be shared with DHS through regular, ad hoc, and emergency communication calls.

“Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information. This agreement is another important step in our collaboration,” said Christopher Krebs, Undersecretary for the National Protection and Programs Directorate at DHS.

The post FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity appeared first on HIPAA Journal.

Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering

Posted by HIPAA Journal

Earlier this year, spam and web filtering solution provider TitanHQ partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.

The new partnership has allowed Datto to enhance security on the Datto Networking Appliance with enterprise-grade web filtering technology supplied by TitanHQ.

The new web filtering functionality allows users of the appliance to carefully control the web content that can be accessed by employees and guests and provides superior protection against the full range of web-based threats.

TitanHQ and Datto Networking will be holding a webinar that will include an overview of the solution along with a deep dive into the new web filtering functionality.

Webinar Details:

Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering

Date: Thursday, October 18th

Time: 11AM ET | 8AM PT | 4PM GMT/BST

Speakers:

John Tippett, VP, Datto Networking

Andy Katz, Network Solutions Engineer

Rocco Donnino, EVP of Strategic Alliances, TitanHQ

Click here to register for the webinar

The post Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering appeared first on HIPAA Journal.

The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates

Posted by HIPAA Journal

The HIPAA Risk analysis is a foundational element of HIPAA compliance, yet it is something that many healthcare organizations and business associates get wrong. That places them at risk of experiencing a costly data breach and a receiving a substantial financial penalty for noncompliance.

The HIPAA Risk Analysis

The administrative safeguards of the HIPAA Security Rule require all HIPAA-covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” See 45 C.F.R. § 164.308(u)(1)(ii)(A).

The risk analysis is a foundational element of HIPAA compliance and is the first step that must be taken when implementing safeguards that comply with and meet the standards and implementation specifications of the HIPAA Security Rule.

If a risk analysis is not conducted or is only partially completed, risks are likely to remain and will therefore not be addresses through an organization’s risk management process – See § 164.308(u)(1)(ii)(B) – and will not be reduced to a reasonable and appropriate level to comply with the § 164.306 (a) Security standards: General Rules.

A HIPAA risk analysis is also necessary to determine whether it is reasonable and appropriate to use encryption or whether alternative safeguards will suffice – See 45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).

A risk analysis should also be used to guide organizations on authentication requirements – See 45 C.F.R. § 164.312(c)(2) – and the methods that should be used to protect ePHI in transit – See 45 C.F.R. § 164.312(c)(2).

If risks are allowed to persist, they can potentially be exploited by hackers and other malicious actors resulting in impermissible disclosures of ePHI.

During investigations of data breaches, the Department of Health and Human Services’ Office for Civil Rights looks for HIPAA compliance failures that contributed to the cause of the breach. One of the most common violations discovered is a failure to conduct a comprehensive, organization-wide risk analysis. A high percentage of OCR resolution agreements cite a risk analysis failure as one of the primary reasons for a financial penalty.

Requirements of a HIPAA Risk Analysis

The HIPAA Security Rule states that a risk analysis is a required element of HIPAA compliance, but does not explain what the risk analysis should entail nor the method that should be used to conduct a risk analysis. That is because there is no single method of conducting a risk analysis that will be suitable for all organizations, nor are there any specific best practices that will ensure compliance with this element of the HIPAA Security Rule.

OCR has explained the requirements of a HIPAA risk analysis on the HHS website. HHS guidance on risk analysis requirements of the HIPAA Security Rule is also available as a downloadable PDF (36.1 KB), with further information available in the NIST Risk Management Guide for Information Technology Systems – Special Publication 800-30 (PDF – 480 KB).

A Security Risk Assessment Tool to Guide HIPAA-Covered Entities Through a HIPAA Risk Analysis

The risk analysis process can be a challenge. To make the process easier, the HHS’ Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the Office for Civil Rights, has developed a downloadable security risk assessment tool that guides HIPAA-covered entities through the process of conducting a security risk assessment.

After downloading and installing the tool, healthcare organizations can enter information and a report will be generated that helps them determine risks in policies, processes and systems and details some of the methods that can be used to mitigate weaknesses when the user is performing a risk assessment.

On October 15, 2018, ONC updated the tool (version 3.0). The aim of the update was “to make it easier to use and apply more broadly to the risks of the confidentiality, integrity, and availability of health information. The tool diagrams HIPAA Security Rule safeguards and provides enhanced functionality to document how your organization implements safeguards to mitigate, or plans to mitigate, identified risks,” wrote ONC.

The new features include an updated and enhanced user interface, a modular workflow, custom assessment logic, a progress tracker, threat and vulnerability ratings, more detailed reports, assess tracking, business associate track, and several enhancements to improve the user experience.

Use of the tool will not guarantee compliance with HIPAA or other federal, state, or local laws, but it is incredibly useful tool for guiding HIPAA-covered entities and business associates through the process of conducting a HIPAA-compliant risk analysis.

The updated Security Risk Assessment Tool can be downloaded from the HealthIT.gov website on this link.

The post The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates appeared first on HIPAA Journal.

FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has issued a warning about vulnerabilities in certain Medtronic implantable cardiac device programmers which could potentially be exploited by hackers to change the functionality of the programmer during implantation or follow up visits. Approximately 34,000 vulnerable programmers are currently in use.

The programmers are used by physicians to obtain performance data, to check the status of the battery, and to reprogram the settings on Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

The flaws are present in Medtronic CareLink 2090 and CareLink Encore 29901 programmers, specifically how the devices connect with the Medtronic Software Distribution Network (SDN) over the internet. The connection is required to download software updates for the programmer and firmware updates for Medtronic CIEDs.

While a virtual private network (VPN) is used to establish a connection between the programmers and the Medtronic SDN, there is no check performed to establish whether the programmer is still connected to the VPN before software updates are downloaded. This would give hackers the opportunity to install their own updates and alter the functionality of the devices.

The flaws in the programmers were identified by security researchers Billy Rios and Jonathan Butts last year. Medtronic was notified about the flaws but has been slow to take action. An advisory was eventually issued in February 2018, but it has taken until now for action to be taken to correct the vulnerability.

Medtronic is now preventing the programmers from connecting to the SDA to receive software updates. Instead, future updates must be performed by Medtronic through a USB connection. Any attempt to update the device via the SDN will now trigger an “Unable to connect to local network” or “Unable to connect to Medtronic” error message.

The FDA reviewed the cybersecurity vulnerabilities and has confirmed that the flaws could be exploited to cause patients to come to harm. On October 5, 2018, the FDA approved the Medtronic network update that blocks the programmer from accessing the Medtronic SDN.

The FDA recommends that the programmers continue to be used for programming, testing and evaluation of CIED patients. The internet connection is not a requirement for normal operation.

Both the FDA and Medtronic have confirmed that no reports have been received to suggest that the vulnerabilities have been exploited and no patients are known to have come to harm.

The post FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers appeared first on HIPAA Journal.

Most Common Healthcare Phishing Emails Identified

Posted by HIPAA Journal

A new report by Cofense has revealed the most common healthcare phishing emails and which messages are most likely to attract a click.

The 2018 Cofense State of Phishing Defense Report provides insights into susceptibility, resiliency, and responses to phishing attacks, highlights how serious the threat from phishing has become, and how leading companies are managing risk.

The high cost of phishing has been highlighted this week with the announcement of a settlement between the HHS’ Office for Civil Rights and Anthem Inc. The $16 million settlement resolved violations of HIPAA Rules that led to Anthem’s 78.8 million record data breach of 2015. That cyberattack started with spear phishing emails. In addition to the considerable cost of breach remediation, Anthem also settled a class action lawsuit related to the breach for $115 million. Even an average sized breach now costs $3.86 million to resolve (Ponemon/IBM Security, 2018).

Previous Cofense research suggests that 91% of all data breaches start with a phishing email and research by Verizon suggests 92% of malware infections occur as a result of malicious emails. Cofense cites figures from Symantec’s 2018 Internet Security Threat Report which suggests that on average, 16 malicious email messages are delivered to every email user’s inbox every month.

Cofense is the leading global provider of human-driven phishing defense solutions, which are used by half of Fortune 500 companies to improve resiliency to phishing attacks. For its latest report, Cofense analyzed the responses to more than 135 million phishing simulations sent through its platform and approximately 50,000 real phishing threats reported by its customers.

Cofense notes that out of the potentially malicious emails reported by end users, one in ten were confirmed as malicious. Half of those messages were phishing emails designed to get end users to disclose credentials.

Across all 23 industry sectors that were represented in the study, 21% of reported crimeware emails contained malicious attachments. By far the most common theme for phishing emails were fake invoices, which accounted for six of the ten most effective phishing campaigns of 2018 to date.

While fake invoices are often used in phishing attacks on healthcare organizations, they are only the third most common type of phishing email (16.5%). In all other industry sectors, fake invoices were the most common phishing threat. The second most common healthcare phishing emails were alerts of new messages in a mailbox (25.5%). The most common healthcare phishing emails were fake payment notifications (58%).

Cofense data shows that the most effective methods for reducing risk from phishing are training and phishing simulations. Technical email security solutions are essential, but they do not block all malicious messages. Only through training and simulations can end users be conditioned to recognize and respond appropriately to malicious messages. The industries with the highest resiliency to phishing attacks are those that train more often.

Cofense suggests that to get the most out of phishing simulation exercises they should focus on active threats. Training is recommended at least every quarter to condition employees to look for and report phishing emails. Companies that encourage reporting of potential phishing threats rather than scolding employees for failing phishing tests tend to have greater success.

The full list of recommendations for security awareness training and phishing simulations can be found in the Cofense State of Phishing Defense Report, which is available on this link.

The post Most Common Healthcare Phishing Emails Identified appeared first on HIPAA Journal.