Pretending to be someone else over the phone was a lot easier before caller-ID was invented. People took advantage of it in fun ways (like making prank phone calls after school), and others did in inappropriate and illegal ways. After caller-ID became a standard feature, as with most technologies, ways to bypass or disable it were created. Spoofing is one of those ways. For phone communications, spoofing allows someone to change the name and phone number that you see on your phone when they call you. Spoofing is illegal when it is used in a communication intended to cause harm, steal valuable information, or money. There are many varieties of spoofing because it is used so widely in social engineering, like disguising links in phishing email cyberattacks.
Social engineering is most often associated with cybercrime. The COVID-19 crisis continues to be a social engineer’s dream. Compared to this time last year, there has been an increase of more than 300% in cyberattacks and fraud reported to the FBI’s Internet Crime Complaint Center and no industry is immune. Some examples of reported attacks include charity and PPE scams, stimulus fund abuse, ransomware, and trying to steal PHI by impersonating an OCR investigator.
Cyberattacks do not always begin in cyberspace. A simple and effective way to get confidential information is to just call and ask. That was the method used by the OCR investigator impersonator.
A cybercriminal learns basic information about your office from your website. They might call and pose as a vendor or potential patient to ask about available appointments. This is to learn when the office is busiest because it is more likely that a person will provide information like account numbers, passwords, or answers to security questions when they are busy, distracted, or under stress. Cyberattacks use scripts, like telemarketers, and usually pretend to be a person of authority or IT support returning a call to help fix a problem someone else from your office reported earlier.
If someone calls you and requests PHI or other sensitive information, confirm their identity first. Tell them you will call them back and call the number listed on the official website of their agency or company. Things you can do to verify someone’s identity, including a public official or anyone acting on the behalf of a public official, include:
- Ask for an agency ID or other official credentials and write down a badge number or other identifier on the ID in your file. Then, call the phone number listed on the official website of the agency or company to confirm their identity, if necessary.
- Confirm the email address is valid by calling the phone number listed on the official website of the agency or company. Note: OCR investigators’ email addresses end in “@hhs.gov”.
- Ensure a written request is on appropriate government letterhead.
Although in-person and phone scams are successful, phishing email cyberattacks are the most successful because attackers target large numbers of victims at once. When a victim clicks on a spoofed/disguised link or downloads an attachment, malware is installed that steals a) your data, b) usernames and passwords that allow access to your data, or, c) in ransomware cases, blocks access to your data.
This year, nearly 50% of healthcare data breaches involving 500 patients or more reported to the OCR list email as the location of the breached PHI. Networks account for approximately 30% and are most often caused by stolen usernames and passwords. As of mid-July, over 6.25 million patients have been impacted by those breaches.
TMC is here to help clients keep their patients’ and practice’s information safe. Log into the Client Portal under “HIPAA Forms” to view and print our special infographic, Avoiding Scams and Malware to post in your office to help employees maintain awareness.