By: HUB’s EB Compliance Team

The Department of Health and Human Services Office for Civil Rights (“OCR”), the government agency responsible for enforcing HIPAA, issued a cybersecurity newsletter focused on social engineering at the end of October. As October was Cyber Awareness Month, the newsletter was timely in highlighting the risks associated with social engineering. HIPAA (the Health Insurance Portability and Accountability Act) requires covered entities, such as health plans, and their business associates to take steps to prevent the unauthorized disclosure of protected health information (“PHI”).

Social Engineering

Social engineering is when an attacker uses emails, texts, calls, or videos that appear to be from trusted sources. Using either publicly-available information or scare tactics designed to short circuit critical thinking, the attacker will craft a realistic-looking message, often requiring an urgent response, in an effort to manipulate the recipient. The goal is to get the recipient to open malicious links or documents or provide information that can be used to compromise systems or networks. The objective is often to obtain money, access sensitive information, or disrupt an organization’s operations.

Under the HIPAA rules, covered entities and business associates are required to conduct risk assessments. Such risk assessments could review emerging social engineering threats. In response, covered entities and business associates should deploy safeguards such as anti-phishing technologies, scanning web links or attachments, and using machine learning or behavioral analysis to detect and prevent potential threats. The unfortunate truth is that individuals are often the “weakest link” in security.

Examples

The newsletter gives examples of types of social engineering attacks including:

  • Phishing. Phishing is when an attacker sends an email that appears to be legitimate. An example of phishing is an email from what appears to be the HR department, a company executive, a large retailer, a delivery service, or a financial institution. The email could be sent to work or personal email. The attacker appears to provide a legitimate reason to click a link in the email in an effort to have the recipient give up important information, like login id and password. As another example, a phishing email could claim the employee has been added to a new office communication or collaboration group, such as a Microsoft Teams Channel. When the employee clicks the link, they are taken to a forged website that looks nearly identical to the website they expect to see. At the forged website, they are asked to enter their username and password to validate their identity. Once they have provided their credentials the attacker can now use those credentials to potentially gain access to a company’s systems.
  • Smishing. Smishing is like Phishing, but uses texting, technically known as Short Message Service (SMS) messaging, to a achieve a similar end. An example of smishing is when a message appears to come from a bank asking to confirm a large withdrawal by making a call or clicking a link to reset a password. Notably, in 2022 the Federal Bureau of Investigation (“FBI”) issued a memo highlighting the increase in “IRS themed smishing campaigns”.
  • Baiting. Baiting involves luring individuals with the promise of something valuable such as winning a prize, enticing them to click on a link that then installs malicious software on their computer or phone. Sometimes baiting involves leaving devices, like thumb drives, in public places (such as a lobby or parking garage) that can be used to breach information systems if plugged in. The goal is often to arouse curiosity to get the person to plug the device in. Once they do, the device deploys malware that is then used to access or paralyze the recipient’s system.
  • Deepfakes. A deepfake occurs when someone believes they are communicating (e.g., through video, photo, audio) with a trustworthy source which is faked through artificial intelligence (AI) technology. This is sometimes called “AI cloning” where an AI is made to look and/or sound like a trusted source so the individual gives up money or information the attacker wants. This could be via video or a phone call.

Combating the Threats

The key methods for combating these threats are training and developing a culture of cybersecurity at your workplace. If people see security as a part of their role, and not an annoyance that must be endured to perform their duties, it will make them more vigilant. As to the specific issues identified, OCR suggests the following (which are not exhaustive):

  • Be suspicious of links sent via SMS messaging or emails that are not expected. While many may be legitimate, there are many more that are not. An individual should mistrust messages offering prizes or deals that seem too good to be true. A good rule of thumb is to pause before clicking on any link and analyze the context, timing, and urgency of the message.
  • Do not call a number sent through an SMS message or unexpected email, especially when such messages or emails attempt to convey a sense of urgency. Instead, lookup the number to the organization supposedly contacting you and call to confirm the information.
  • Never provide sensitive information such as usernames, passwords, or personally identifiable information. Instead, call the organization requesting such information using a known good phone number (such as the organization’s customer support number from their website) to verify why they need your sensitive information. Do not rely on a phone number provided in the SMS message or email as those could belong to the attacker.
  • If there is a legitimate offer of a prize, there will usually be information on a legitimate website, including a news source, discussing it, so searching to confirm the prize is important.
  • For physical devices like thumb drives, employees should never plug those into their personal or work computers if they do not know the source of the device.
  • To avoid deepfake manipulation, some key signs to look for include inconsistent eye blinking, lack of facial features with clear definition, unnatural skin discoloration, a person’s mouth not synchronizing to what they are saying, and abnormal boundaries between hair and background. One way to potentially thwart a deepfake attack is to ask questions only the real person would know, but being careful not to divulge secrets in the process, such as “what did we talk about last Tuesday?”. Another way to determine if it is a deepfake is to disconnect the call or text and confirm the number is verified by reaching out to the source using a number you know.

Takeaways

Employers sponsoring health plans should strongly consider reviewing their cybersecurity with their information technology vendors. However, more importantly, as this newsletter shows, a significant vulnerability are the people in an organization. Therefore, developing a culture of cybersecurity and making sure folks are trained on best practices is key. Employers who do not do, and strongly encourage, regular training, should consider engaging a vendor to assist with these efforts.

If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.

NOTICE OF DISCLAIMER

Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.