Episode 444: Guess the Culprit of the Latest HIPAA Penalty: It’s MFA and Phishing Scams

 

Evan Dumas  

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.   

 

Liath Dalton  

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.   

 

Liath Dalton  

And I’m Liath Dalton, and we are Person Centered Tech.  

 

Evan Dumas  

Hello and welcome to Episode 444: Guess the Culprit of the Latest HIPAA Penalty: It’s MFA and Phishing Scams.

 

Liath Dalton  

Indeed. And why are we talking about this? Well, part of what Evan and I do is track all of the HIPAA enforcement actions that are taken, as well as reading the annual reports of breach report results and investigations and complaint investigation results and penalties and so on, because we want to glean for all of you what the most important takeaways are, so that you can be proactive and avoid any such things occurring within your practice and be equipped with knowing how to safeguard your clients protected health information.

 

Liath Dalton  

Now I also want to preface this by saying that actual HIPAA penalties, where monetary fines are imposed, are pretty rare. So this year, seven such monetary penalties have been enforced basically, or have been the result of breaches and investigations. The latest one is really large in terms of the monetary amount. I mean, it’s not a small mental health practice. It is a children’s hospital in Colorado. But the takeaways of what caused the breaches are really applicable and a good lesson for for all of us. So we want to highlight what those takeaways are. Now the enforcement action resulted in penalty of how much money, Evan?

 

Evan Dumas  

Oh, a little over half a million dollars. It was like 500 and what? 48,000

 

Liath Dalton  

Yeah, $548,265

 

Evan Dumas  

Wow.

 

Liath Dalton  

Which is significant, and I imagine, still impactful, for the children’s hospital right now. In addition, the the really big takeaway is what caused the breach in the first place and why the OCR, the Office of Civil Rights, the HIPAA regulators, had such little tolerance for for the breach having occurred, and the reason for it being that multi factor authentication had been disabled on one of the breached email accounts. And the breach of that email account by an unknown and unauthorized third party resulted in over 10,000 individuals PHI being exposed.

 

Liath Dalton  

And then, in addition to that, another breach resulted from the login credentials for email accounts being shared were provided to unauthorized and unknown third parties. This wasn’t the same, more more, innocuous–but still not permitted–issue of login sharing between workforce members who are authorized to access info. But resulted from folks being falling victim to a phishing scam and providing their login credentials to an unauthorized third party. So what does this highlight?

 

Evan Dumas  

Yeah, that in general, the humans the weakest link, like behavioral things, are always the weakest to us, but also the sheer importance of doing–yes, it’s annoying–but turning on and enforcing multi factor authentication for everybody and keeping them up to date on saying hey, if someone asks check in with me first, don’t give out passwords. Never share passwords. You should have systems that are in place that don’t even need password sharing.

 

Liath Dalton  

Exactly. So for any system that contains client info, that contains protected health information, if that system has the capacity for multi factor authentication to be utilized and enabled, you must have it enabled that is one of the Security Rule standards. And ideally in terms of settings, configurations, you want to make it so that MFA is required for all user accounts, not just that it’s optional, but that it’s required and enforced by the system, right?

 

Liath Dalton  

And there are some great tools that make the kind of rigmarole of MFA a lot easier to manage and are not, they don’t cost to send and don’t even require that you are using Google workspace and have a BAA because it’s outside the scope of what you need a business associate agreement for. And that’s the Google Authenticator app, and that’s something we recently did a podcast episode about. So we’ll include the link to that so you can get that deeper dive in in that episode.

 

Liath Dalton  

So there’s a great tool that doesn’t cost anything, that helps you with that. And in addition to those benefits, it also increases the security of the way multi factor authentication works, because it’s not relying on SMS text messages, which aren’t secure, and we are especially aware of how not secure they are, in light of the recent Chinese telecom hack that we talked about last time.

 

Liath Dalton  

So take away: make sure that every system that you have that contains client info has multi factor authentication enabled and required. Support your team in managing this effectively and securely by utilizing the Google Authenticator app. And then when it comes to phishing, what and avoiding falling prey to a phishing scam, Evan said the key piece which is that your policies and procedure need to include the prohibition of ever providing login credentials to any anyone else they need to be whole held solely by the individual whose account those credentials belong to.

 

Liath Dalton  

And phishing scams are increasingly prevalent. They’re designed to really create a sense of urgency. A common tactic is to, for the scammers to pose as an account Support Specialist, telling someone that their account has been compromised, and that they are wanting to help get the intruders out, and that the way that they can do that is by your providing the log in credentials. So making sure that your team is really well aware of the prohibition on on providing password policies or passwords and login credentials to anyone other than themselves, no matter the sort of urgency that is presented in a situation. It’s a great time of year to be doing that as well, and we do have a supportive training that’s all about recognizing phishing scams and social engineering, which is that component of creating urgency and masquerading as a, you know, an authorized individual who’s who’s trying to help you. So we’ll put a link to that security awareness training in the show notes as well, for for your team, if you want to have something that goes above and beyond the security reminder of recognizing phishing attempts and not providing any login credentials.

 

Liath Dalton  

Oh, this is, uh, we should start calling these episodes like the more you know, with the little star in rainbow. Oh, we hope, hope that’s that’s helpful, and just especially in the current kind of threat landscape that we’re all navigating and operating in as businesses and individuals. These are important reminders for safeguarding client info as well as your business info and personal info, we really need to develop a stronger culture of security, and these are some key actionable ways to do that, and again, that are not costly in in any measure. So hopefully this has been helpful. Thanks for listening, and we’ll chat to you next time!

 

Evan Dumas  

Yeah, talk to you next time everybody

 

Liath Dalton  

This has been group practice tech, you can find us at personcenteredtech.com for more podcast episodes, you can go to person centered tech comm slash podcast or click podcast on the menu bar.