Phishing for the Vendor Human Factor in Healthcare

In January of 2019, Managed Health Services (MHS) of Indiana Health Plan had to announce to approximately 31,000 patients that their personal data had potentially been a part of a data breach. However, MHS didn’t suffer this data breach. One of MHS’s business associates, LCP Transportation, was the victim. The hack was a result of LCP Transportation’s employees responding to phishing emails, which gave a hacker remote access to patient records.

Today, the most common cause of healthcare data breaches are phishing attacks, with rates of attacks increasing significantly since 2021 and doubling since 2020.

The Vendor Human Factor of Phishing Attacks

Experts have stated that phishing attacks are often successful as a result of the human factor in an organization. To properly address the threat of phishing and protect your healthcare organization, you should ensure that you have proper regulations and training in place to train your employees to be aware of phishing attacks.

Here are several recommendations for your organization:

• Require routine security training and awareness that educates your employees and staff on how to recognize phishing as well as how to report a phishing attack if they encounter one
• Perform routine phishing simulations that test your employees and staff on a quarterly or monthly basis
• Ensure that your most privileged users, such as executives and IT administrators, are tested on a more frequent basis

But, what about your vendors? Managed Health Services of Indiana Health Plan was the victim of a third-party data breach because their business associate, LCP Transportation, experienced a successful phishing attack. So, it’s not just your own organization’s staff that needs to have a certain level of phishing training and awareness; it’s that of your vendors too.

The Importance of Security Training and Awareness

When performing a vendor risk assessment on a business associate or other third party, part of that risk assessment should include a thorough review of the vendor’s Security Training and Awareness policy and procedures. During due diligence, review these policies in detail for phishing training that covers all types of phishing techniques - today, there are many.

Phishing attacks range from email to voice to SMS texting and can target a general group of people as well as specific individuals. Be sure to review if your vendor’s phishing training is performed on a periodic basis as part of an employee’s or staffer’s ongoing security training and awareness.

You should look for how often routine phishing testing simulations are performed and ask the following questions:

1. Do the third party’s employees receive “test” phishing emails on a quarterly basis? A monthly basis?
2. How often do their senior executives such as the CEO receive simulated phishing emails to keep them continuously vigilant of phishing attacks?

Answers to these questions should be found in the Security Training and Awareness Policy and Procedures of the business associate or vendor.

A third party’s Security Training and Awareness Policy and Procedures should always be thoroughly scrutinized when conducting a third-party risk assessment. Special attention should be given to how a vendor’s employees and staff are continuously educated and tested to recognize phishing attacks. The standards and procedures a business associate or other third party uses for their own phishing training and awareness directly translates into just how secure your protected health information (PHI) is in that vendor’s environment if the adversary decides to go phishing for the human factor.