Phishing has long been a favorite tactic for threat actors (hackers) to commence a cyberattack. The rapid expansion of more adaptable and available artificial intelligence (AI) technologies, such as natural language processing and large language models, now fuels more ferocious phishing campaigns. The effects are being felt in many industries, perhaps most notably the healthcare industry. One indicator of that may be the recent Office for Civil Rights (OCR) announcement of its “First Ever Phishing Cyber-Attack Investigation”
In October 2023, the U.S. Department of Health and Human Services (HHS) and the Health Sector Cybersecurity Coordination Center (HC3) published a white paper entitled, AI-Augmented Phishing and the Threat to the Health Sector, the HC3 Paper. While many have been using ChatGPT and similar platforms to leverage generative AI capabilities to craft client emails, layout vacation itineraries, support coding efforts, and help write school papers, threat actors have been hard at work using the technology for other purposes. According to the HC3 Paper,
Making this even easier for attackers, tools such as FraudGPT have been developed specifically for nefarious purposes. FraudGPT is a generative AI tool that can be used to craft malware and texts for phishing emails. It is available on the dark web and on Telegram for a relatively cheap price – a $200 per month or $1700 per year subscription fee – which makes it well within the price range of even moderately-sophisticated cybercriminals.
The HC3 Paper is informative. It not only outlines some basics about AI and the healthcare industry, but also speaks to helpful countermeasures and best practices. These include:
- email filtering,
- employee training and awareness,
- multifactor authentication, and
- endpoint security management.
Of course, phishing is nothing new. As noted by the HC3 Paper, the FBI’s Internet Crime Complaint Center (IC3) found that phishing attacks were the number one reported cybercrime in 2022, with over 300,00 complaints reported. And, important for the healthcare industry, phishing was the most common attack impacting healthcare organizations, amounting to nearly half of the attacks in 2021, according to the Healthcare Information and Management Systems Society.
This brings us to the recent OCR’s enforcement action and resolution agreement. According to OCR announcement, a relatively small urgent care center in Louisiana, experienced a HIPAA breach that was initiated by a phishing attack. Reports about the incident suggest the attack affected nearly 35,000 individuals. According to the resolution agreement, the OCR alleged that prior to the incident, the HIPAA covered entity had not conducted a HIPAA Security Rule risk analysis or implemented procedures to regularly review records of information system activity. In addition to the payment of a restitution amount of $480,000, the center agreed to a two-year corrective action plan.
Phishing attacks are serious business and they have become more so since being fueled by AI technologies – the healthcare industry continues to be a prime target. It is critical for covered entities and business associates to not only implement measures to prevent these attacks, but to also be prepared to respond when they occur. Develop and maintain an incident response plan! Back to basics on HIPAA compliance also is critical when responding to an OCR inquiry. Cyberattacks happen and inquiries may follow. Maintaining a record of HIPAA compliance will be one of, if not, the most important element in the response to the OCR or state agency.