The US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued new guidance warning against various social engineering techniques. Social engineering is an attempt to trick individuals into revealing sensitive information (e.g., passwords) or taking harmful actions (e.g., clicking malicious links). Between 2019 and 2023 large breaches involving unsecured protected health information (PHI) reported to OCR increased by 89 percent. Notably, 68 percent of these breaches involved attacks on humans rather than on technology.
Common tactics include phishing, smishing (SMS-based scams), baiting, and advanced threats like deepfakes. Phishing attacks often masquerade as legitimate communications, tricking recipients into entering sensitive data on fake websites. Smishing employs urgent SMS messages that lure victims into clicking malicious links. Baiting uses enticing offers to prompt unsafe actions, while deepfakes use AI to convincingly impersonate trusted individuals.
Organizations are encouraged to implement robust training programs to educate employees on recognizing and responding to these social engineering threats. Regular risk assessments and technical safeguards, such as anti-phishing technologies and strict access controls, are essential to protecting electronic protected health information (ePHI).
Access the guidance here.
Compliance Perspective
Issue
The HIPAA Security Rule contains provisions that can help regulated entities prevent or mitigate threats posed by social engineering. The Security Rule requires entities to ensure the confidentiality, integrity, and availability of all ePHI and to protect against reasonably anticipated threats to its security. Social engineering is a recognized threat and must be addressed in security measures.
Discussion Points
- Review and update policies and procedures related to HIPAA, the Security Rule, and ePHI to ensure they adequately address security measures against unauthorized access.
- Train all staff on HIPAA and the Security Rule upon hire and annually, focusing on recognizing phishing schemes, malware exposures, and the unauthorized release of ePHI. Document training sessions and maintain records in each employee’s education file.
- Periodically audit to ensure adherence to policies and procedures related to HIPAA and ePHI. Assess staff understanding and competency regularly, and perform ongoing risk analyses to keep systems updated.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*