November 19, 2024
On October 25, 2024, the HHS Office for Civil Rights (OCR) published its October 2024 OCR Cybersecurity Newsletter. The newsletter focuses on “social engineering,” which the OCR defines as “an attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks or taking an action (e.g., clicking a link, opening a document, etc.).” The OCR highlights four common types of social engineering.
The first two types of social engineering are “phishing” and “smishing.” Generally, "phishing" is the attempt to trick people into providing sensitive information electronically, most often through email. The second type is “smishing,” which is a type of phishing that uses text messages to reach victims. The hacker disguises themselves as someone trustworthy and asks the potential victim to provide sensitive information for what appears to be a legitimate reason. Although the HIPAA Privacy Rule addresses attacks against work-related electronic communication (such as a work email address), phishing and smishing attacks often bypass this by going directly to a person’s personal email or phone number.
The third type of social engineering is “baiting.” This type attempts to trick people into providing sensitive information by offering a prize or deal in return for that information. Like other forms of social engineering, baiting appears to be legitimate, even though the offers appear too good to be true. Baiters also target personal emails and phone numbers even when seeking sensitive work information.
The final type of social engineering is the “deepfake.” This type of social engineering uses AI to create likenesses of people (or their voices) to trick others into providing sensitive information.
The newsletter provides measures that people can take to guard against these types of social engineering and reminds readers that the HIPAA Security Rule requires regulated entities, which include employer-sponsored group health plans and their business associates, to ensure the confidentiality of electronic protected health information (ePHI) against anticipated threats. The types of social engineering outlined in the newsletter are anticipated threats that regulated entities should consider when implementing security measures. Regulated entities need to include in their risk analysis a consideration of the potential threat that social engineering poses to their networks and the ePHI that is stored there. The OCR suggests that educational programs covering social engineering should be provided to employees. In addition, regulated entities should have safeguards in place in the event social engineering works to fool an employee into providing access to the entities’ ePHI. Technical safeguards include protecting the integrity of ePHI from improper alteration or destruction and allowing access to ePHI to only those granted access rights to such ePHI.
Employers who sponsor group health plans and gather and maintain ePHI should be aware of the types of social engineering described in this article and of the OCR’s expectations that they consider them and implement safeguards to protect against them.
October 2024 OCR Cybersecurity Newsletter
PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.
Sign up to have it delivered straight to your inbox.
Sign up