Technology Advisor Blog

Phishing:  Would your employees click on any of these emails?

Posted by Ann Westerheim on 3/15/18 2:02 PM

Phishing with Fish.jpgEveryone thinks they won't click on a phishing link, but when we run tests, there's always someone who does!

Phishing is the leading tactic used by today's ransomware hackers, typically delivered in the form of an email designed to impersonate a real system or organization.  Often created to deliver a sense of urgency and importance, the message within these emails often appears to be from the government or a major corporation and can include logos and branding.  They look like the real thing!

Would any of your employees click on these emails?

  • Tax Refund - Recipient is due a tax refund and directed to a site to claim their refund.
  • Bank Account Low Balance - Recipient receives a low balance alert in the bank account and gives them the option to check their account.
  • Amazon Security Alert - Alerts Amazon customer that there were several unauthorized attempts to access their account from an unknown device
  • DocuSign Signature Request - Recipient is sent a request to electronically sign a document
  • Webinar Reminder - Recipient is sent an email reminder that the webinar will begin in 1 hour.
  • Netflix Account Reset - Netflix password has been reset and asks the target to change their password.
  • IT Reset Password - Email sent from IT asking to reset password
  • eFax Email - eFax email with instructions to download the electronic fax.

These are all examples of typical phishing scenarios, and are actual emails we use as part of of cybersecurity training.  Everyone thinks they won't click on the link, but when we run training tests, there is always at least one person who clicks on the link.

In a test scenario, the user is just warned that they made a mistake and its an educational moment.  However, if the email was malicious, this could take down an entire organization with ransomware.  

The concept of a "human firewall" is getting a lot of attention these days.  A network firewall, security patch updates, DNS protection, and all the technical layers of protection needed for responsible network protection are just part of the solution.  The behavior of all users on your network will also impact your security (and the bad actors know it!).  Don't forget employee security training as part of your overall cybersecurity strategy.

Tags: HIPAA, cybersecurity, ransomware, training, Microsoft Security Patches

Texting, eMail, and HIPAA

Posted by Ann Westerheim on 3/12/18 1:15 PM

HIPAA.jpgAt the HIMSS Healthcare IT Conference last week in Las Vegas, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, made some news when he said that health care providers may share Protected Health Information (PHI) with patients through standard text messages. Providers must first warn their patients that texting is not secure, gain the patients’ authorization, and document the patients’ consent.  Note that this only applies to communications with patients.

This expands the previous 2013 HIPAA Omnibus Rule on emails which allows providers to email patients as long as the provider notifies the patient that email is not secure AND gains their consent.

Note that emails through free email services are NOT secure.  Google, for example, reserves the right to "use...reproduce...communicate, publish...publicly display and distribute" your email messages.  Most users don't read the lengthy terms of use and are surprised to hear this.  Health care providers must use encrypted email or secure email systems to communicate ePHI outside of their networks.

The baseline services we provide through our service plans such as firewalls, security patch updates, antivirus updates, etc, are an important foundation of the technical requirements for HIPAA, but there is so much more to it, and we want all our clients to be fully aware of all the requirements.  Contact us if you want to set up a complimentary HIPAA review.  The more you know the better!

For more details, read the full article by Mike Semel of Semel Consulting and author of How to Avoid HIPAA Headaches, who is one of the experts Ekaru follows for HIPAA information.  We also cybersecurity training and a HIPAA compliance platform to help in your compliance.

Tags: HIPAA, data security, cybersecurity, Compliance

Subscribe by Email

Most Popular Posts

Browse by Tag

See all tags...

Connect With Us

Older Blog Posts

For older Ekaru blog posts, go to ekaru.blogspot.com.