What is Phishing?
The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), defines phishing as a sophisticated cyber-attack designed to deceive individuals into disclosing sensitive information through electronic communications. This tactic relies on impersonating a trusted entity, exploiting the trust inherent in healthcare settings to gain unauthorized access to protected health information (PHI).
The Prevalence of Phishing Attacks:
Recent data underscores the urgency of this threat. In Q2 2021, HHS reported that 42% of ransomware incidents involved phishing, highlighting its role as a primary vector for cyberattacks in healthcare. Despite the apparent simplicity of identifying and reporting suspicious emails, the persistence of these incidents suggests a gap in awareness or response protocols among employees.
Strategies to Mitigate Phishing Risks
HHS advises that all covered entities, including therapy practices, prioritize employee education to recognize phishing attempts. Key steps include:
- Training and Awareness: Equip staff with the skills to identify red flags, such as unsolicited requests or unusual sender addresses.
- Reporting Protocols: Establish a clear process for employees to report suspicious communications to supervisors and IT personnel promptly.
- Proactive Measures: Develop and implement organizational policies to address identified threats, ensuring a coordinated response to mitigate potential breaches.
CMS Phishing Alert: A Targeted Threat to Providers
The Centers for Medicare & Medicaid Services (CMS) has issued a critical alert regarding fraudulent schemes targeting Medicare providers. These scams involve impostors posing as CMS officials, sending phishing faxes requesting medical records and documentation under the guise of a Medicare audit. CMS clarifies that it does not initiate audits through fax requests and urges providers to:
- Refrain from responding to suspicious requests.
- Collaborate with their Medical Review Contractor to verify the legitimacy of any communication.
This underscores the need for vigilance, as phishing attacks are not a matter of “if” but “when” they will occur.
Practical Recommendations for Therapy Practices
To safeguard your practice, adopt a proactive stance:
- Question Communications: Scrutinize emails, faxes, and texts for inconsistencies, such as unexpected attachments or urgent demands.
- Report Immediately: Ensure staff escalate potential threats to designated supervisors or IT teams.
- Verify Authenticity: Confirm the legitimacy of requests through official channels before taking action.
At BCMS, we specialize in empowering healthcare providers through our comprehensive Compliance Program, which includes tailored policies and procedures specifically addressing cybersecurity strategies. By integrating Federal guidance with robust annual training, we help therapy practices stay ahead of phishing threats, protecting both patient data and operational integrity. Contact us to strengthen your defenses today. Click here to learn more about BCMS.