CareFirst Administrators impacted by phishing scam at RCM vendor

CareFirst Administrators logo

Last month, CareFirst Administrators notified impacted individuals about a business associate breach. The phishing scam occurred at Conifer Revenue Cycle Solutions, a provider of revenue cycle management (RCM) services to healthcare organizations.

Phishing emails continue to plague the healthcare industry. According to the FBI, phishing attacks may increase by as much as 400% year-over-year. Alarming especially when considering phishing attacks on business associates since they affect a larger number of healthcare organizations.

How do healthcare organizations and their business associates avoid such debilitating breaches? By using strong email security and a HIPAA compliant email provider to ensure protected health information (PHI) remains protected.

What happened?

CareFirst Administrators is a third-party healthcare administrator in Maryland, Washington, D.C., and Northern Virginia. It specializes in administering health benefits locally through CareFirst BlueCross BlueShield and nationally through the Blue Cross Blue Shield Association.

The healthcare provider announced on November 22 that its vendor Conifer Value-Based Care LLC was targeted by a phishing scam. Conifer is a subcontractor providing RCM services for CareFirst and other healthcare organizations.

Conifer discovered that a cyberattacker accessed certain email accounts between March 17 and March 22. The business associate acted immediately to prevent further activity and to hire a security firm to perform an investigation. At the end of June, Conifer notified CareFirst about the breach.

CareFirst then performed “additional data enrichment and validation efforts,” completed on September 1. At the end of the month, the organization notified impacted group health plans. PHI involved in the incident included:

  • Names
  • Addresses
  • Health insurance information
  • Dates of birth
  • Medical information
  • Billing and claims information

Regrettably, some also included Social Security numbers. On November 18, the U.S. Office for Civil Rights (OCR) Breach Portal listed the breach as impacting 14,538 individuals.

HIPAA business associates and third-party breaches

A HIPAA business associate is a person or entity that performs certain functions or activities that involves PHI. Like Conifer Value-Based Care for CareFirst Administrators and other healthcare organizations. Under the HIPAA Privacy Rule, business associates must be HIPAA compliant and must help covered entities comply as well.

Generally, the Privacy Rule allows healthcare providers to disclose PHI. But they must receive assurance that the vendor is protecting PHI through a signed business associate agreement (BAA).

Unfortunately, business associate breaches are known to cause massive disruptions. Business associates were at the center of nearly 40% of 2022’s reported breaches on OCR’s portal. More than 30 organizations were impacted by a single business associate breach at Ciox Health.

The Conifer breach confirms how third-party vendor cyberattacks can be problematic. Especially when threat actors find a way into a system with something as simple as a phishing email.

Phishing woes and other tales of big breaches

According to Conifer, an unauthorized party gained access to certain Microsoft Office 365-hosted business email accounts via a phishing scam. Email phishing is a malicious attempt to trick victims into giving up personal and online account information. Over 80% of cybersecurity professionals recently surveyed state that phishing attacks represent a top security concern.

The goal is to capture that data or access and exploit more valuable and sensitive systems. Such attacks can be targeted (e.g., spear phishing) or widely distributed (e.g., spam). No matter the type, the point is to take advantage of tired or unaware staff using social engineering techniques.

Phishing emails typically ask recipients to send confidential information or open an attachment containing malware. Cyberattackers disguise these emails as legitimate messages from reputable entities such as financial institutions, government agencies, or major retailers. Today, phishing messages are so well crafted, they sometimes trick even skeptical, security-conscious users.

While anti-phishing training is important to educate staff, human error is unavoidable. And one inadvertent click can disrupt and shut down even the most secure system.

Ensure business associates use strong cybersecurity

Given the headache involved with phishing and business associate breaches, it is important to guarantee vendors utilize strong cybersecurity. First, as stated by HIPAA, covered entities and business associates must sign a BAA. This ensures that vendors remain vigilant when working with PHI.

And before a covered entity signs an agreement with a business associate, it is necessary to:

  1. Understand employed security measures
  2. Require similar features to its own
  3. Control the type of information available
  4. Identify all users and devices with access

Finally, healthcare organizations must continually review their contracts and the state of their PHI. Continuous reviews are needed to ensure organizations remain up to date with protective measures.  Blame may fall on a covered entity that knowingly skips a BAA or fails to do due diligence.

What about phishing? How do you stop an inadvertent click?

Conifer Value-Based Care assured CareFirst Administrators that it “has and continues to enhance its security controls and monitoring practices as appropriate to minimize the risk of any similar incident in the future.” But what does this mean when it comes to phishing? What does stronger protection mean?

Covered entities and vendors must utilize HIPAA compliant technical, administrative, and physical safeguards when dealing with PHI. Unfortunately, anti-phishing training is not standardized, consistent, or always followed up. Even if training is adequate, organizations should not rely on their employees as front-line defenders.

Email is the most utilized threat vector (or entry point) into any system, which is why layered email security is vital. A comprehensive security approach should include training as well as:

  • Storage policies
  • Access controls (e.g., password policies)
  • Technical safeguards (e.g., encryption)
  • Separate offline backup
  • Patched and up-to-date devices
  • VPNs and/or firewalls

Enabling HIPAA compliant email, like Paubox Email Suite, is crucial to safeguarding all data accessible through email.

Try Paubox for free

Paubox Email Suite for HIPAA compliant email

Keep your patient data safe from ransomware, phishing attacks and other dangers with advanced email threat protection.

Start for free

CommonSpirit Health ransomware attack update

CommonSpirit Health company logo

In October, we outlined what we knew about the CommonSpirit Health data breach. Last month, the health system confirmed that it was hit by a ransomware attack.

SEE ALSO: CommonSpirit Health says patient data was stolen during ransomware attack

CommonSpirit Health is Chicago-based but also one of the nation’s largest hospital systems. Ransomware attacks against such organizations are frequent for a variety of reasons including the value of protected health information (PHI).

Let’s explore the CommonSpirit breach further to demonstrate why HIPAA compliant email is vital within the healthcare industry.

CommonSpirit Health’s original breach notice

The health system confirmed an “IT security issue” in a short statement on October 4, 2022. Within, it stated that the breach impacted some of its facilities and that some patients had to reschedule appointments. Moreover, CommonSpirit took certain IT systems offline including its electronic health records (EHRs).

LEARN MORE: EMR or HER? What’s the difference?

The next day, CommonSpirit released a similarly brief statement apologizing for the inconvenience. Neither statement mentioned the type of breach, the data exposed, or the impact. Subsidiaries who reported issues include:

  • Nebraska- and Tennessee-based CHI Health facilities
  • Seattle-based Virginia Mason Franciscan Health providers
  • MercyOne Des Moines Medical Center
  • Houston-based St. Luke’s Health
  • Michigan-based Trinity Health System

CommonSpirit operates 700 care sites and 142 hospitals in 21 states.

CommonSpirit Health’s October/November update

Later in October, CommonSpirit released a new statement characterizing the IT incident as a ransomware attack. Since this discovery, the health system has notified law enforcement and a forensics investigative team. CommonSpirit now states that it experienced system interruptions across several states including Nebraska, Tennessee, Texas, Washington, and Iowa.

Those IT systems originally taken offline remained shut down. But by November, CommonSpirit announced that some patients could use its EHR systems. At the same time, they couldn’t schedule appointments through the portal.

The health system does not detail the type of PHI exposed or the number of affected individuals.

CommonSpirit’s latest breach update

The latest update states that “an unauthorized third party gained access to certain files, including files that contained [PHI].” It specifically mentions data from Franciscan Medical Group and/or Franciscan Health in Washington state. The files contain personal information for individuals who received services in the past as well as their affiliates.

CommonSpirit adds that there is “no evidence that any [PHI] has been misused as a result of the incident.” Under the HIPAA Act, it sent breach notification letters to those affected on December 1.

KNOW MORE: What is the HIPAA Breach Notification Rule?

The U.S. Department of Health Office for Civil Rights’ (OCR) Breach Portal lists the breach as a hacking/IT incident affecting 623,774 patients. On December 9, 2022, CommonSpirit released its official breach notice. Within the notice, the health system states that the hacker breached the systems between September 16 and October 3. Files accessed included the following information about patients, family members, and caregivers:

  • Name
  • Address
  • Phone number
  • Date of birth
  • Internal unique ID (not medical record or insurance number)

There is no confirmation on which group is responsible. At this time, no PHI was found on the dark web.

The true costs of a ransomware attack

Healthcare organizations are particularly vulnerable to ransomware attacks, even more so than other industries. In 2021, cyber incidents impacted more than 50.4 million medical records, and it looks like 2022 (and 2023) will exceed this number.

PHI is worth much to cybercriminals, and ransomware is an easy method to access that information. After stealing and/or encrypting data, threat actors can demand a ransom payment or sell the information on the black market. They may even do both. On top of this, are the costs associated with downtime or lawsuits.

READ MORE: Ransomware attack may have led to infant’s death

As of the end of December 2022, CommonSpirit was hit with a class-action lawsuit alleging negligence caused the ransomware attack. And of course, the possibility of a HIPAA violation, fine, and corrective action plan. OCR is currently investigating the incident.

This and every breach demonstrate that healthcare providers must invest in solid cybersecurity to protect themselves and their patients. Becoming a victim of ransomware is far more costly compared to implementing data security protocols.

Avoid ransomware headaches with Paubox

Every healthcare organization must use strong protections to block ransomware attacks.

READ ABOUT: Ransomware attacks on healthcare increase in 2022

There are many methods to keep data secure. Some of these options include employee training and strong storage and access policies. But given that one of the most common entry points is through phishing emails, strong email security is vital. Aspects of email security include:

  • A robust password policy
  • Multi-factor authentication
  • Regularly monitored networks
  • Filters and antivirus software
  • Encryption

Finally, good email security starts and stops with a HIPAA compliant email provider such as Paubox Email Suite. Paubox technology is HITRUST CSF certified and provides an advanced HIPAA compliant email solution. Our Plus and Premium solutions include robust inbound security tools to help block cyberattacks harming the healthcare industry. These features block threats like phishing emails and ransomware and send them to quarantine.

Whether part of a large hospital system like CommonSpirit or a standalone clinic, Paubox provides the right email protection to keep data and organizations HIPAA compliant and secure.

Try Paubox for free

Paubox Email Suite for HIPAA compliant email

Keep your patient data safe from ransomware, phishing attacks and other dangers with advanced email threat protection.

Start for free

Healthcare cybersecurity 2023 outlook

Cybersecurity text being drawn on a glass board

As a healthcare professional, you know that cybersecurity is of critical importance to your organization. With the increasing reliance on digital tools and the abundance of sensitive patient data, healthcare organizations are prime targets for cyberattacks. And with the constantly evolving landscape of cybersecurity threats, it’s crucial to stay up-to-date on the latest trends and best practices.

Today, we’ll explore the critical cybersecurity trends and challenges healthcare organizations can expect to face in 2023. From the growing threat of ransomware attacks to the increasing importance of employee training, we’ve got you covered.

Let’s dive into the key cybersecurity trends and challenges healthcare organizations can expect to face in 2023. By staying current on these trends and incorporating best practices into your organization’s security strategy, you can help protect your patients, staff and organization.

Focus on data privacy laws

Data privacy laws are essential to any healthcare organization’s cybersecurity strategy. These laws, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States, establish standards for protecting patient data and ensure that healthcare organizations are transparent about their data collection and usage practices.

Keeping up to date on the latest data privacy laws and regulations is essential for healthcare organizations in 2023. Your organization must comply with these laws and ensure that its data practices are transparent and ethical.

Healthcare organizations may face financial fines, legal action, and reputational damage if they do not comply with data privacy laws. 

See more: Why is healthcare a juicy target for cybercrime?

Increased cloud-based services add additional risks

Healthcare organizations can also expect an increase in cloud-based services in 2023. Healthcare organizations increasingly store and access data in the cloud, from electronic health records (EHRs) to telemedicine platforms.

In addition to offering numerous benefits, such as increased efficiency and reduced IT costs, cloud-based services also pose some risks. A data breach is one such risk. For example, sensitive patient data can be accessed and compromised if the cloud-based system of a healthcare organization is hacked.

To mitigate this risk, healthcare organizations should carefully evaluate the security measures for cloud-based services. Encrypting data in transit and at rest and implementing robust access controls are critical to preventing unauthorized access.

See more: HHS reminder: remain vigilant against cyberthreats

Cybersecurity committees

A cybersecurity committee is a group of individuals within an organization who are responsible for developing and implementing the organization’s cybersecurity strategy.

There are several benefits to having a cybersecurity committee in place. First and foremost, it ensures that cybersecurity gets the attention it deserves at the highest levels of the organization. This is especially important in the healthcare industry, where the consequences of a data breach can be severe.

A cybersecurity committee can also help coordinate departments’ efforts and ensure that all employees are trained on best practices for protecting sensitive data. Additionally, having a dedicated group of individuals responsible for cybersecurity allows for more efficient decision-making and response in the event of a security incident.

The growing threat of cyberattacks will lead to more healthcare organizations establishing cybersecurity committees in 2023. Consider forming a cybersecurity committee if your organization does not already have one.

See more: White House warns against possible Russian cyberattacks

Increased importance of risk assessments

Healthcare organizations must prioritize identifying and mitigating potential vulnerabilities as cyberattacks continue to grow.

Many organizations use risk assessment frameworks such as the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to accomplish this. The framework provides a set of best practices and guidelines for identifying and prioritizing cybersecurity risks and preparing an organization’s cybersecurity plan.

The HITRUST CSF certification is considered the compliance gold standard for the healthcare industry. In fact, more than 85 percent of U.S. health insurers, 80% of U.S. hospitals, and hundreds of other covered entities and business associates leverage the HITRUST Approach in their HIPAA compliance initiatives.

See more: HIPAA compliant email: The definitive guide

Email security and Paubox

As healthcare organizations increasingly rely on digital communications, they are at risk of phishing and ransomware attacks.

One tool that can help to improve email security for healthcare organizations is Paubox Email Suite, the easiest way to send and receive HIPAA compliant email without extra steps, such as portals and passwords. Additional plans include robust inbound email security with patented features to stop email threats before it hits the inbox.

By adopting a secure email platform like Paubox, healthcare organizations can help protect themselves and their patients from email-based attacks and maintain compliance with regulatory requirements.

Start for free

Try Paubox free for 14 days

Paubox Email Suite

Keep your patient data safe from ransomware, phishing attacks and other dangers with advanced email threat protection.

Start your free trial

What is a white hat or ethical hacker?

ethical hacker memo on keyboard

Ethical hackers are a group of cybersecurity professionals tasked with finding security vulnerabilities in organizations and companies. They are authorized to access unauthorized information in computer systems or applications. Ethical hackers, also known as “white hats,” use the same type of strategies and processes malicious hackers utilize in order to help improve the organization’s security measures.

Ethical hackers perform risk assessments and technical activities to find gaps in computer systems or firewalls where sensitive information lives. Their goal is to report any vulnerabilities and provide remediation advice before malicious attacks occur.

Types of hackers

Not all hackers are the same, and not all hackers follow the same protocols and ethical guidelines. There are generally three types of hackers.

  • Unauthorized hackers. Also known as “black hats,” unauthorized hackers are malicious in intent. They use their technical skills to take over computer systems and steal sensitive data. Unauthorized hackers will stop at nothing to gain the information they desire.
  • Authorized hackers. Also known as “white hats” and ethical hackers, authorized hackers have a set of guidelines and permissions they must follow. They are usually hired by companies to find shortcomings in computer systems before any malicious attacks can occur.
  • Grey hat hackers. “Grey hat” hackers are a mix of both authorized and unauthorized hackers. Their primary goal is to exploit vulnerabilities in company systems to spread public awareness of the issues. “Grey hats” may instead share the weak points in security with just the company and not spread the news to the public. And while they don’t share sensitive information with the public, they don’t always follow permissions or a code of ethics when breaking into these systems. 

Related: Preventing Security Breaches in Healthcare

Ethical hacking vs. malicious attacks

While both ethical and unauthorized hackers have the skills and knowledge to pass through security vulnerabilities, there are some key differences between the two.

Ethical hackers

  • Hired and authorized by companies or organizations to find any vulnerabilities in a system
  • Use a code of ethics and guidelines when testing systems. They do not share any sensitive data with anyone other than their clients.
  • Run multiple tests on systems to mirror real-world hackers.

Malicious attackers

  • Are not hired and authorized by a company or organization.
  • No guidelines are followed. They will do whatever they can to breach security. Often using private data for monetary gain.
  • Do not care about a company’s vulnerabilities and will not share weak points with anyone.

Related: To pay or not to pay for stolen data

Ethical hacker limitations

There are a variety of limitations ethical hackers face when hired by a company or organization. Often, they do not have full knowledge of the industry they are trying to break into because multiple different industries can hire them. Usually, unauthorized hackers are specialized in the sectors they are hacking which may make it easier to sweep a system. Ethical hackers need to think as an unauthorized hacker would, mimic their moves and utilize the same tools and programs, all while trying to stay within the limits they have been given. 

In order to keep from servers crashing, companies will often put limits on how far the authorized hacker can go. They have a timeline and budget to consider as well. These are all things an unauthorized hacker does not need to take into account.

Related: 3 sneaky ways hackers exploit uninformed employees

Unethical hackers are a financial and data risk for companies all over the globe. With Paubox you can send HIPAA compliant emails and stop security threats with one end-to-end solution. Paubox blocks incoming phishing emails and other threats leaving you worry free. Our HITRUST CSF certified software integrates with Google Workspace, Microsoft 365 and Microsoft Exchange seamlessly to allow you to send sensitive subject emails without worrying about malicious attacks.

See more: HIPAA compliant email: The definitive guide

How Paubox Can Help

In the healthcare industry, the importance of cybersecurity cannot be overstated. With sensitive patient information at risk, it’s essential to take all necessary precautions to protect against potential threats. Understanding the different types of hackers, including gray hat hackers, can help healthcare professionals make informed decisions about how to best secure their systems and protect their patients.

One way to mitigate these risks is by implementing strong security measures and staying up to date on the latest cybersecurity threats.

One such solution is Paubox, the leading provider of email encryption and secure messaging solutions for the healthcare industry. With Paubox, healthcare organizations can securely send and receive sensitive information, ensuring their patients’ data privacy and security.

Using Paubox, healthcare organizations can protect themselves and their patients from the potential risks of gray hat hacking and other cybersecurity threats.

So if you want to improve your healthcare organization’s security, implement Paubox to protect your sensitive data and keep your patients’ information safe.

Today, being vigilant in your cyber security efforts is more critical than ever. And Paubox is a valuable tool in helping you do just that.

Start for free

Try Paubox free for 14 days

Paubox Email Suite

Keep your patient data safe from ransomware, phishing attacks and other dangers with advanced email threat protection.

Start your free trial

What is a gray hat hacker and their impact on healthcare?

image of grayhat hacker

What Is A Grey Hat Hacker?

In the world of cybersecurity, there are various types of hackers with varying motives and methods. One type you may have heard of is the gray hat hacker.

But what exactly is a gray hat hacker?

Simply put, a gray hat hacker is an individual who falls somewhere in between a white hat hacker and a black hat hacker. While white hat hackers are ethical hackers using their abilities for good, black hat hackers use their abilities for malicious motives, such as: stealing sensitive information or causing harm to computer systems.

Grey hat hackers, on the other hand, fall somewhere in the middle.

Grey Hat Hacker

A gray hat hacker is a computer security expert who sometimes violates ethical standards but doesn’t have malicious intentions. Grey hat hackers often discover vulnerabilities in computer systems or networks and notify the owners of the systems about the issue. They may also offer to fix the vulnerability for a fee.

In contrast to black hat hackers – who have malicious intentions and use their skills to gain unauthorized access to systems for personal gain or to cause damage – gray hat hackers don’t have malicious intentions and often act to improve computer security.

However, their methods may be viewed as unethical by some, as they may exploit vulnerabilities without the owner’s knowledge or consent.

See more: Why is healthcare a juicy target for healthcare?

The Grey Area

The term “gray hat” is derived from the terminology used to describe hackers. Grey hat hackers often have the same skills and expertise as black hat hackers but use their knowledge and abilities for more ambiguous purposes.

Black hat hackers are those with malicious intentions, while white hat hackers use their skills for ethical purposes, such as working as security consultants. Grey hat hackers fall between these two categories, as they may use their skills for good and questionable purposes.

They may hack into a system without the owner’s permission, but their intentions aren’t necessarily malicious. They may do this to uncover vulnerabilities in the system and report them to the owner or a third party, often in exchange for a fee or some other form of compensation.

In this sense, gray hat hackers can be seen as a mix of white hat and black hat hackers, as they use their skills for both ethical and potentially unethical purposes.

See more: HHS reminder: remain vigilant against cyberthreats

Examples Of Grey Hat Hackers – Justin Shafer

One real-life example of a gray hat hacker in the healthcare industry occurred in 2016, when a security researcher named Justin Shafer discovered a vulnerability in the Electronic Health Records (EHR) system used by a large healthcare organization. Shafer could access the system without proper authorization and found that it contained sensitive patient information, including medical records and social security numbers.

Instead of attempting to profit from the vulnerability or causing damage to the system, Shafer notified the healthcare organization about the issue and offered to help fix it.

However, the organization did not respond to Shafer’s notification and he eventually publicly disclosed the vulnerability on his personal blog.

While Shafer’s intentions were not malicious, some viewed his actions as unethical because he accessed the EHR system without proper authorization. In addition, the healthcare organization may have preferred to keep the vulnerability secret to avoid negative publicity or legal repercussions.

Despite the controversy surrounding his actions, Shafer’s discovery ultimately led to the healthcare organization taking steps to improve the security of its EHR system. In this way, Shafer’s actions as a gray hat hacker ultimately positively impacted the system’s security and the protection of patient data.

See more: White House warns against possible Russian cyberattacks

The Current Situation

This example illustrates the complex ethical issues that can arise in gray hat hacking. While Shafer’s intentions were good, some may have viewed his actions as unethical. It’s important for individuals and organizations to carefully consider the potential risks and ethical implications of gray hat hacking before engaging in these activities.

Despite the controversy surrounding gray hat hacking, it’s undeniable that these individuals have a significant impact on the field of computer security. 

See more: HIPAA compliant email: The definitive guide

How Paubox Can Help

In the healthcare industry, the importance of cybersecurity cannot be overstated. With sensitive patient information at risk, it’s essential to take all necessary precautions to protect against potential threats. Understanding the different types of hackers, including gray hat hackers, can help healthcare professionals make informed decisions about how to best secure their systems and protect their patients.

One way to mitigate these risks is by implementing strong security measures and staying up to date on the latest cybersecurity threats.

One such solution is Paubox, the leading provider of email encryption and secure messaging solutions for the healthcare industry. With Paubox, healthcare organizations can securely send and receive sensitive information, ensuring their patients’ data privacy and security.

Using Paubox, healthcare organizations can protect themselves and their patients from the potential risks of gray hat hacking and other cybersecurity threats.

So if you want to improve your healthcare organization’s security, implement Paubox to protect your sensitive data and keep your patients’ information safe.

Today, being vigilant in your cyber security efforts is more critical than ever. And Paubox is a valuable tool in helping you do just that.

Start for free

Try Paubox free for 14 days

Paubox Email Suite

Keep your patient data safe from ransomware, phishing attacks and other dangers with advanced email threat protection.

Start your free trial

What is a black hat hacker and their impact on healthcare?

figure wearing a black hat with a sword

As technology advances and becomes a larger part of our everyday lives, it is essential to understand the potential threats that come with it. One of those threats is the presence of hackers – black hat hackers, to be precise – hackers who use their skills and knowledge to access and manipulate systems for personal gain illegally.

What exactly is a black hat hacker?

In the world of cybersecurity, there are three main categories of hackers:

  1. White hat
  2. Grey hat
  3. Black hat

White hat hackers are ethical hackers who use their skills to help secure systems and identify vulnerabilities. Grey hat hackers fall somewhere in between, using their skills for good and nefarious purposes. 

On the other hand, the black hat hackers are the ones you need to avoid.

Are black hat hackers cybercriminals?

A black hat hacker is a cybercriminal who uses their skills and expertise to gain unauthorized access to systems, steal sensitive information, and cause damage to networks and websites. These individuals often operate with malicious intent, and their actions can have severe consequences for both individuals and organizations.

See more: Why is healthcare a juicy target for healthcare?

Black hat hackers threat to healthcare

In the healthcare industry, black hat hackers pose a particular threat due to the sensitive and personal nature of the information stored in healthcare systems.

Medical records, insurance information, and other personal data can be valuable commodities on the black market. And hackers target healthcare organizations to gain access to this information.

The consequences of a black hat hack are severe, including financial losses, damage to a company’s reputation, and legal repercussions. Therefore, Healthcare organizations must protect themselves and their patients from these attacks. 

Protect yourself from black hat hackers with these steps:

  • Implement strong passwords
  • Regularly update software and security protocols
  • Train employees to identify and prevent potential threats
  • Use best-of-class cybersecurity software tools

In 2021, the healthcare industry saw a significant increase in cyber attacks, with more than 65% of healthcare organizations reporting a data breach. Additionally, the financial consequences of these attacks are significant, with the average cost of a data breach in the healthcare industry reaching $380 per record. 

Besides the financial impact, data breaches can damage an organization’s reputation and patient trust.

See more: HHS reminder: remain vigilant against cyberthreats

What are the types of cyberattacks?

As we’ve established, black hat hackers use their skills and knowledge to gain unauthorized access to systems, steal sensitive information, and cause damage or disruption. But what are some specific tactics they may use to achieve these goals?

Let’s look at some of the most common attacks and risks associated with black hat hacking in the healthcare industry.

Malware: Malware is software designed to harm or exploit a computer system. It can take many forms, including viruses, worms, and Trojan horses. Once installed on a computer, malware can steal sensitive information, delete or corrupt files, and even take control of the system.

Phishing Links: Black hat hackers often use phishing scams to trick individuals into divulging sensitive information or clicking on a link that installs malware. These scams can be emails, texts, or social media messages that appear to come from a legitimate source. They may ask for login credentials and financial information or urge the recipient to click on a link or download an attachment.

DoS Attack: Denial of service (DoS) attack is a tactic that involves overwhelming a website or system with traffic, rendering it inaccessible to legitimate users. DoS attacks can be challenging to prevent and cause significant disruption for the targeted organization.

See more: White House warns against possible Russian cyberattacks

Healthcare needs to be aware of black hat threats

As a healthcare professional or facility, you must be aware of the potential risks of black hat hacking and take steps to protect yourself and your patients. The risks associated with black hat hacking in the healthcare industry are significant. Staying vigilant and being proactive in your cyber security efforts is essential to protect yourself and your organization.

This includes meeting the requirements set forth by HIPAA (Health Insurance Portability and Accountability Act) and PHI (Protected Health Information).

So how can you ensure you meet these requirements and protect your patients’ information?

Paubox is your solution.

Paubox is a secure email provider that meets HIPAA and PHI requirements. It lets you send and receive secure emails without portals or logins. The solution is patented and has military-grade encryption.

Using a secure email solution like Paubox gives you peace of mind knowing you’re taking steps to protect your patients’ sensitive information.

Today, being vigilant in your cyber security efforts is more critical than ever. And Paubox is a valuable tool in helping you do just that.

See more: HIPAA compliant email: The definitive guide

Start for free

Try Paubox free for 14 days

Paubox Email Suite

Keep your patient data safe from ransomware, phishing attacks and other dangers with advanced email threat protection.

Start your free trial

CMS responds to third-party data breach

person typing on keyboard to avoid a third-party data breach
image from rawpixel id 59318 jpeg

The Centers for Medicare & Medicaid Services (CMS) recently responded to a data breach at subcontractor Healthcare Management Solutions, LLC (HMS). The incident may have affected Medicare beneficiaries’ personally identifiable information (PII) and protected health information (PHI). 

According to the press release, “HMS acted in violation of its obligations to CMS and the incident has the potential to impact up to 254,000 Medicare beneficiaries out of the over 64 million beneficiaries that CMS serves.”

Keep reading to learn more about the data breach and what CMS is doing in response. Plus, find out how covered entities can protect themselves with a HIPAA compliant email platform.

What happened?

On October 8, HMS’ corporate network was targeted in a ransomware attack. As a CMS subcontractor, HMS resolves system errors connected to Medicare beneficiary entitlement. The company also helps collect premiums from the direct-paying beneficiary population. 

CMS was informed of the cybersecurity incident on October 9. However, it was initially found that no CMS systems or Medicare claims data were involved. As soon as the incident was reported, CMS immediately began an investigation to uncover what personal information may have been compromised.

On October 18, CMS determined that the incident potentially included PII and PHI for certain Medicare enrollees. Specifically, exposed data might have included the following:

  • Name
  • Address
  • Date of Birth
  • Phone Number
  • Social Security Number
  • Medicare Beneficiary Identifier
  • Banking information, including routing and account numbers
  • Medicare Entitlement, Enrollment, and Premium Information

How is CMS responding to the data breach? 

CMS is mailing letters to all potentially impacted beneficiaries to directly inform them of the data breach. The company states that they are “continuing to investigate this incident and will take all appropriate actions to safeguard the information entrusted to CMS.”

While CMS is not aware of any identity fraud cases connected to the breach, they are still issuing new Medicare cards with a new Beneficiary Identifier out of an abundance of caution. Beneficiaries are also being offered Equifax Complete Premier credit monitoring services free-of-charge. 

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

Protect your organization with Paubox

Healthcare providers can avoid data breaches in the first place by making risk management a top priority. This includes ensuring that every third-party vendor is willing to sign a business associate agreement (BAA), which outlines the responsibilities of the business associate to keep protected health information (PHI) secure.

And with email serving as a leading entry point for cybercrime, human error is often at fault for letting ransomware into a network system. Therefore, it is critical for healthcare providers to safeguard PHI at every stage with a HIPAA compliant email provider.

Designed to seamlessly integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary. 

In addition to healthcare email encryption, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block ransomware and other cyberattacks from even reaching the inbox in the first place. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.

How to make HIPAA compliant email stress-free for nurses

Nurses email communication

Just like all medical practitioners, nurses must understand HIPAA compliance and be HIPAA compliant in their communication with or about patients. Nurses play key roles in proper patient care and in safeguarding protected health information (PHI). They deal with private information daily and must be aware of how to communicate it.

SEE ALSOPII and PHI best practices: How healthcare organizations should handle sensitive information

Patients and their healthcare providers need to give and receive information clearly and securely. HIPAA compliant email is one of the best ways to meet those needs. However, a HIPAA breach, intentional or accidental, is a big concern for all medical professionals and can cause undue stress on an already overworked staff. HIPAA compliant secure email provides a top option for healthcare professionals, especially nurses.

What is HIPAA?

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients. The U.S. Department of Health and Human Services’ Office for Civil Rights regulates and enforces the act. HIPAA consists of five sections (or titles), with Title II being the most referenced.

Title II sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form, and includes:

  • Privacy Rule (2003): covers the protection of PHI as well as compliance standards
  • Security Rule (2005): sets required security standards to protect ePHI
  • Enforcement Rule (2006): sets the rules for enforcing HIPAA and penalizing non-compliant organizations
  • HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
  • Breach Notification Rule (2009): sets the procedures for reporting breaches
  • Omnibus Final Rule (2013): incorporates HITECH further by improving privacy protections

These rules and amendments strengthen and further elucidate the building blocks necessary for patient privacy and security. And, of course, patient care.

LEARN ABOUTPatient engagement and HIPAA compliance: What you need to know

What nurses need to know about HIPAA

Like all medical practitioners, nurses must follow HIPAA guidelines to protect a patient’s privacy. And nurses are privy to PHI for numerous patients at any given time. Nurses constantly look after multiple records and patients when working in a small clinic or a large hospital.

SEE ALSOThe role of nurses in HIPAA compliance, healthcare security

Nurses are at the forefront of handling, managing and disclosing PHI:

  • During treatment
  • To facilitate payment
  • When authorized by a patient
  • For disaster notification or national security
  • For law enforcement, in some instances

Such disclosure could be to patients, their family members or other medical providers. It may also be for general HIPAA compliant documentation. And because of this, nurses must understand and follow HIPAA regulations.

HIPAA compliant email

HIPAA compliant email must meet the HIPAA requirements for the safe communication of PHI electronically. Sending and receiving an email with PHI is not a HIPAA violation if essential safeguards are correctly set.

RELATEDWhy healthcare providers should use HIPAA compliant email

The Security Rule puts safeguards into three categories: administrative, physical and technical. For email, this could mean setting policies and procedures (administrative), verifying workstation/computer controls (physical) and monitoring login controls (technical). The idea is to restrict access, monitor use and always ensure PHI integrity and message accountability.

One critical aspect of email security is encryption. HIPAA labels encryption as “addressable” and states that it must be used if it “is a reasonable and appropriate safeguard.” Unfortunately, though, there is no appropriate alternative to encryption. Therefore, healthcare organizations must take sufficient steps to secure PHI at rest (in storage) and in motion (in transit).

What are common ways to violate HIPAA with email?

HIPAA violation occurs when a healthcare professional does not properly safeguard PHI due to either negligence or an accident. HIPAA rules exist not only to stop such violations but also to hold non-compliant healthcare practitioners liable.

SEE ALSOPreventing security breaches in healthcare

How could a nurse violate HIPAA with email?

Regarding email communications, there are several ways to violate HIPAA accidentally. For example, a nurse may write an email and include PHI without a patient’s permission. In another example, a nurse may write an email at their station and be disrupted by an emergency and walk away to attend to it. Walking away to take care of an emergency with an email that includes PHI open and visible is classified as an accidental disclosure and a reportable HIPAA violation.

However, there are also intentional violations, such as curiosity-driven disclosure. For example, when the news of someone well-known getting care is shared outside of actual patient care. 

LEARN MOREPotential coronavirus-related HIPAA violations

Of course, the disclosure could be purposeful and sometimes even harmful.

Finally, there are breaches due to an organization not utilizing strong email security, which can lead to a cyberattack. In any of these incidences, using HIPAA compliant email would have helped.

Do all nurses need to use HIPAA compliant email?

Nurses always need to use a HIPAA compliant email solution when sending PHI.

The vast majority of nurses need a secure solution that is easy to use and does not add to their workload. For example, easily sending secure emails containing appointment reminders, treatment information, diagnosis or prescriptions can help create an efficient and smooth workflow.

LEARN ABOUTPermitted use and disclosure of protected health information (PHI) under HIPAA

And something that cannot be forgotten: nursing and healthcare is stressful and tiring. When work is long and hard, it is easy to overlook security measures that stop a breach from occurring. By using a secure email provider like Paubox, staff or provider errors are taken out of the equation.

6 HIPAA compliant email use best practices for nurses

  1. Have a fundamental understanding of HIPAA and PHI.
  2. Go through employee HIPAA awareness training.
  3. Learn to exercise caution when accessing information from multiple devices, including mobile. 
  4. Never share passwords or login credentials.
  5. Pause before sending an email and ask, “Does the recipient need this information to do their job? What is the minimum amount I can send to help a patient?”
  6. Use a secure email provider for HIPAA compliance, like Paubox, for all email communication.

READ MOREWhy cybersecurity education is key to protecting your medical practice

How can Paubox HIPAA compliant email help nurses care for patients?

Paubox Email Suite takes healthcare emails seriously by providing nurses with an easy way to communicate securely with patients. 

Our HITRUST-CSF certified solution is effortless and lets nurses focus on caring for patients without adding to the stress of digital communication barriers and HIPAA compliance regulations.

No additional passwords or portals are necessary, and there is no need to change your existing platform.

RELATEDTop 7 things you didn’t know about Paubox Email Suite

Paubox Email Suite enables HIPAA compliant email by default and encrypts every outbound message automatically. And our Plus and Premium plans come equipped with innovative, proactive inbound tools like Zero Trust Email and ExecProtect

There is no reason to hesitate. Let Paubox do the heavy lifting when it comes to HIPAA compliance and emailing your patients so you can focus on the important job of nursing. 

Close-up, abstract view of architecture.

Open Spaces

See case study ↗

OCR’s Notice of Proposed Rulemaking

OCR’s Notice of Proposed Rulemaking

Wondering about the status of OCR’s Notice of Proposed Rulemaking? OCR announced the proposed rulemaking in December 2020. Although the proposal was not technically subject to the “regulatory freeze” by the Biden administration, it was effectively delayed because OCR extended the public comment period until May 2021.

Read more

OCR’s NPRM to modify HIPAA

On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals’ engagement in their healthcare, remove barriers to coordinated care, and decrease regulatory burdens on the healthcare industry, while continuing to protect individuals’ health information privacy interests.

OCR developed many of the proposals in the NPRM in response to public comments received in response to its 2018 Request for Information (RFI) on Modifying the HIPAA Rules to Improve Coordinated Care.

Read more: Understanding and implementing HIPAA rules

The NPRM proposed changes to the Privacy Rule include proposals to:

  • Strengthen individuals’ rights to access their own health information, including electronic information.
  • Improve information sharing for care coordination and case management for individuals.
  • Facilitate family and caregiver involvement in the care of individuals experiencing emergencies or health crises.
  • Enhance flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.
  • Reduce administrative burdens on HIPAA covered healthcare providers and health plans.

The estimated total cost saving from this proposed regulatory reform is $3.2 billion over five years.

Read more: HIPAA Compliant Email: The Definitive Guide [2023 update]

Wondering about the status of OCR’s Notice of Proposed Rulemaking?

On January 21, 2021, the NPRM for the proposed HIPAA privacy rule changes was published in the Federal Register. The deadline for submitting comments on the 357-page proposal was March 22, 2021. Almost everyone interacting with healthcare systems will be affected by the proposed changes to the HIPAA Privacy Rule. In light of the potential impact of the proposed HIPAA changes, the deadline for submitting comments was extended to May 6, 2021. OCR has not yet provided a date for when the Final Rule will be issued, but it is likely to result in HIPAA changes in 2023, although they may not become enforceable until 2024.

Read more: OCR shares guidance on preventing common cyberattacks

White House to increase healthcare cybersecurity standards

The White House is rolling out new cybersecurity guidelines for healthcare and other critical infrastructure areas, according to public officials at a recent Washington Post event.

Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, explained that the U.S. has fallen behind on security standards in comparison to other countries. 

The goal of the new guidelines is to increase healthcare and critical infrastructure cybersecurity standards by ensuring minimum requirements are in place.

Keep reading to learn more about what’s to come and why this is important. Plus, find out how healthcare providers can strengthen protection against cyberattacks now with a secure email provider.

Read more

Key focus areas and strategies

Healthcare, water and communications sectors are critical areas of focus for raising cybersecurity standards. It’s hard to imagine not being able to access healthcare and water or losing the ability to communicate with each other. U.S. citizens’ safety is dependent on this core infrastructure.

A public-private partnership is planned as an ongoing effort to improve cybersecurity. This corresponds with Executive Order 14028 from May 2021, which promotes better communication between federal entities and private sector businesses.

At the Washington Post event, Neuberger noted the private sector manages a significant portion of the U.S. critical infrastructure. The importance of private group collaboration to mitigate the latest risks and create standards is crucial.

What this means for healthcare cybersecurity

The United States Department of Health and Human Services (HHS) has begun working with partners at hospitals to implement minimum healthcare cybersecurity guidelines. In addition, efforts to secure the industry on a broader scale are in place. 

These initiatives will reduce risks to the U.S. critical infrastructure as the threat landscape continues to evolve. 

Healthcare is targeted by ransomware attacks more often than any other critical infrastructure, according to the FBI’s 2021 Internet Crime Report. CommonSpirit Health, one of the nation’s largest health systems, is still suffering the effects of a recent incident.

Stacy O’Mara, Senior Director of Government Affairs at Mandiant, told HealthcareITSecurity that these ransomware attacks can be mitigated “if hospitals had a baseline to establish, maintain, and measure their cybersecurity hygiene and level of preparedness.”

Be proactive with Paubox 

Email is a top threat vector for ransomware and other cyberattacks. Providers can proactively boost healthcare cybersecurity measures by making secure email a top priority. That’s where a HIPAA compliant email service comes in. 

Convenient and easy HIPAA compliance and email security

Paubox email solutions conveniently integrate with your current email platform, such as Google Workspace, Microsoft 365 or Paubox Email Suite. You can send HIPAA compliant email by default and automatically encrypt every outbound message. This means you don’t have to spend time deciding which emails to encrypt. And your patients receive your messages right in their inbox—no additional passwords or portals necessary. 

Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools to help block the cyberattacks plaguing healthcare.

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect feature quickly intercepts display name spoofing attempts.