Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 601: Email Hacked? How to Prevent it and What to do When it Happens.

 

Liath Dalton 

This is a topic that is very timely, and was really precipitated by the fact that we, at PCT, are in many practices’ contact lists, and have been, as a result, getting a lot of emails recently from practice email addresses that have been compromised and hacked. So we get all these like suspicious looking emails where it’s a dropbox link, Dropbox link, or a file download, like PDF, password protected PDF, sort of link, some Google shares, all sorts of different variations of the, sort of, what occurs when a email hack has taken place, and the hackers are then trying to spread the hack, and glean information, right?

 

Evan Dumas 

Yes exactly, yes.

 

Liath Dalton 

So we wanted to talk about how to prevent this, how to respond, and, both if you were the recipient of one of these suspicious emails, and then what the HIPAA response looks like as well, in terms of security incident investigation, etc.

 

Evan Dumas 

Mhm, mhm.

 

Liath Dalton 

Evan is going to take the lead on this, because this is very much his domain, and I am getting over an illness, so you will appreciate hearing his voice more than mine for sure today.

 

Evan Dumas 

So to prevent this, you’re gonna want a combination of technical and behavioral measures. And we always recommend this. Because, you know, behavioral is the training, the talking about, but that’s fallible. You know, we have days where we forget what we’re going to do, and how we’re going to do it. So you want technical measures, so that people don’t have to think about it. It’s sort of built into your systems. And I’m just going to sum these up.

 

Evan Dumas 

The technical measure is have two factor authentication on for all your email services, so that no one can get access to your account unless they also have access to another device or another means of authentication. Like that’s the best, bare minimum means of this, which is great.

 

Evan Dumas 

And behavioral measures, the summary there is education, training. Tell people how to spot phishing attacks, spam attacks, how to have them not click links, not click downloads, not be like I’m so curious, what is this? Oh, man, the worst thing. Like we are very naturally curious, yes, but that curiosity is exploited by these people to just spread whatever email virus, email access, whatever they’re trying to do. So inform people, talk to the people. Have it be a culture where people aren’t shamed if this happens to them, so that you can say yes, thank you for telling me. The last thing you want is for someone’s email to be hacked and they’re too ashamed to tell the IT person. And so it just gets worse, and they try to fix it on their own.

 

Liath Dalton 

Exactly. I mean, that is a huge part of the sort of practice culture that you want to set up around security practices in general, is that you want people to feel truly safe and encouraged to report anything suspicious. That when in doubt about anything they should be coming to the security officer. It’s not bothersome. It’s not being paranoid or hyper vigilant. It is part of safeguarding client info and safeguarding the practice as well.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So it’s really important that folks know that if they are in doubt about anything before they take action on it, before they click the link, to check with the security officer. Or if it’s already past that point, and a link was clicked and a compromise has occurred, that the sooner that it is reported, the sooner it can be contained, and therefore the impact of it minimized.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And by impact, we’re talking about impact to clients, like the amount of client information that could potentially be compromised, and therefore the impact to the practice overall, in terms of what your response process is going to entail, and how you know involved and costly that’s going to be.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So just emphasizing that with your teams is really, really vital. And can be part of, you know, if you’re doing a beginning of the year sort of refresher training on any pertinent policies and procedures that you have identified need to just be sort of highlighted, or that closer adherence around is necessary, or that people are lacking clarity or support around, now is a good time to address those things, and this should be one component of that.

 

Liath Dalton 

Not just the email security piece, but this security culture component, of: talk to your security officer; when in doubt, check; if something is awry, don’t delay talking to us, and you know, there is, there is no shame in that, we just need to know what’s going on so that we can address it and support you.

 

Evan Dumas 

Mhm, yeah.

 

Evan Dumas 

And the nice thing about the technical measure, about two factor, is that you can enforce it. You can mandate it so that you don’t have to say, hey, please turn this on and check you turn it on, etc. You just go into whatever system you have has admin controls. And if you are using Google, we have guides on that. If you’re using Microsoft, we don’t, that’s on you, or other systems, but you can and should and need to enforce it. And then it’s just done for everybody. It’s great.

 

Liath Dalton 

Right. And then that really means that the email can’t be hacked, even if someone clicks the funky link, right, Evan?

 

Evan Dumas 

Exactly. Because then the other person trying to access it would be like, Oh, crap, I need their phone or whatever. So, yeah.

 

Liath Dalton 

Yes. So it is like a incredibly simple step to enable and require 2FA, system-wide, and is something that has massive payoff in terms of the security benefit.

 

Evan Dumas 

Mhm, yeah.

 

Evan Dumas 

So now, what do people do if, either this has happened to them, or they receive an email from, say, a colleague at some other organization that looks kind of spammy and scammy?

 

Liath Dalton 

Yes, let’s start with what to do, because it’s shorter.

 

Evan Dumas 

Haha.

 

Liath Dalton 

If you receive an email like this that is – and maybe we should say a little bit more about what we see

 

Evan Dumas 

Of course,

 

Liath Dalton 

in these emails.

 

Evan Dumas 

yeah, I can speak to that. So what you see is a lot of very template, bland language. Like it’ll say greetings, it won’t say your name. Or it’ll say hey, please click this link. And it’s usually something monetary, like an invoice, or a receipt, or a purchase order, or something where you’re like, oh, this looks businessy. It’ll have some random numbers. It’ll have an attachment at the bottom, something like a Dropbox link or an Excel spreadsheet or some format you aren’t even sure of, with some random letters. And you’re like, yeah, I guess that’s a computer file. I better open it, and it’ll say, please see this, as per our conversation. You know, just very, not human, dry business lingo that no one I interact with uses, but that’s, you know, I pick my friends carefully. So that’s usually what it is. Like, it’s, usually the body of it is enough to make you suspicious.

 

Liath Dalton 

Mhm, exactly.

 

Liath Dalton 

So, yeah, if you get one of those emails, what should you do, aside from not clicking the link, Evan?

 

Evan Dumas 

Yeah, well, I recommend reaching out to either that person at the organization, or, even better, someone else at the organization. So if you know their admin or IT, or anybody else at it, because, hey, if that person’s email is compromised, chances are they might not be able to check it. And so if you CC someone else on it, saying, Hey, I got this suspicious email, no, don’t click the link. But I wanted to let you know, in case you weren’t aware you were sending out these spammy emails. And yeah, you know, they’ll do their due diligence. We, of course, at PCT, are going to be like, hey, here’s some recommended stuff, but that’s not on you. You don’t got to do that.

 

Liath Dalton 

Right. But just notifying them, and that’s a really important point, Evan, about not just notifying the sender, because they may not be receiving that.

 

Evan Dumas 

No.

 

Liath Dalton 

And so if it’s not just an individual, like a solo practitioner who has has sent it out, like if we’re talking practice to practice here, in particular, if you, if it’s a organization or practice that has multiple team members, a good thing that you can do is identify who else to contact by, even if you don’t know them, just by checking their website.

 

Evan Dumas 

Uh huh, yeah.

 

Liath Dalton 

Which, very often, the way to get to their website is just going to be removing the name and the at in their email address and putting the remaining string of usually like practice name.com into your browser address bar, and there you go.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And then you should be able to identify someone else to contact at the practice.

 

Evan Dumas 

Yeah, and if not, you know there’s, there’s every practice website has phone numbers or contact form or things like that, so there’s ways to get a hold of folks.

 

Liath Dalton 

Exactly. Yep. Okay, so now, what do you do if you discover that your practice has been, had its email hacked?

 

Evan Dumas 

Oh yeah, it’s time to document and investigate. Because one write down this has happened, and two, start finding out why, what it’s affected. And you know, the HIPAA breach investigation or security incident, I should say, not all security incidences are breaches, but this is like a, oh, something I should check out to see how bad it is. And you need to find out how bad it is. So you have to start seeing, okay, what was accessed, and when did this happen, and who was affected. And it’s like the scope, it might be a tiny thing. It might be a no biggie, but it might be a biggie, and you got to find out and write it down.

 

Liath Dalton 

Right. Before we even move into the security incident investigation piece, though, is the initial containment and securing the account, right? So what, what are those steps?

 

Evan Dumas 

Yeah, that’s not, you know, base level step is changing passwords, just like making sure you have only very solid access to it, etc. I’m trying to imagine some circumstance where you wouldn’t. And turning on two factor if you don’t have it already. Like, you know, lock down.

 

Liath Dalton 

If you didn’t already have, I mean, it, if you are hacked, it’s 99% certain that the reason is because there was lack of multi-factor authentication, right?

 

Evan Dumas 

Yeah, right.

 

Liath Dalton 

So then maybe what you have in terms of your technical settings is that it’s enabled but not required.

 

Evan Dumas 

Yeah, yep, yep.

 

Liath Dalton 

So you want to change that, and then also log out of all active sessions. Right? Right.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Then, then I would also recommend at that, at that point, checking your forwarding rules, inbox rules, connected apps, just to make sure that nothing was changed in those setting configurations, and nothing was added.

 

Evan Dumas 

Yeah, I’d run your antivirus, too.

 

Liath Dalton 

Yeah, antivirus, anti malware.

 

Evan Dumas 

Just do a sweep.

 

Liath Dalton 

Yeah. And, and then comes the security incident investigation and documentation process. Which, if the end result of that is that you, a likelihood of breach occured, and you cannot prove that a breach of client information did not occur, then the notification both to impacted clients or potentially impacted clients, if you can’t discern in the investigation who was or wasn’t impacted on an individual client by client basis. So doing client notification, and then the HHS and OCR Office of Civil Rights, HIPAA breach notification.

 

Liath Dalton 

And the timeline for when you need to do the OCR notification or actually breach reporting is different depending on the size of the breach.

 

Evan Dumas 

Yes, of course.

 

Liath Dalton 

The shortest timeline which you always need to be focused on, is going to be notifying impacted clients.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So that takes precedence over the timing of the breach report to the OCR. Yeah.

 

Evan Dumas 

And that varies by state too. Like some states have privacy violation notification laws, like California is really short. What is it like? 10, 15, days, something like that? 

 

Liath Dalton 

Mhm, yeah, exactly. Whereas under HIPAA, it’s 30 days from the date of incident discovery. So it’s important to know your state law as well. It’s not, not just federally determined, and the state law always, always takes precedence, if, if it is more,

 

Evan Dumas 

If it’s shorter.

 

Liath Dalton 

If it’s shorter, if it’s shorter, yes, thanks, Evan. If so, that’s also an important distinction, that if HIPAA, you know, HIPAA says 30 days, but your state law says 45 days, you have to do it in 30 days.

 

Evan Dumas 

Yeah, yeah, exactly. It’s always the strictest rule.

 

Liath Dalton 

It only takes precedence when it’s the most stringent.

 

Liath Dalton 

So we are putting in the show notes, some resources for all of this, specifically in terms of training for your team. We’ve got an assignable staff training on HIPAA security awareness that includes phishing and social engineering, and that is something that can equip folks to recognize the phishing attempts and know how to respond and what to do. So that’s a tangible resource to help manage the training and education piece for your team, or if you’re a solo practitioner listening, this is also applicable to you.

 

Liath Dalton 

We also have a HIPAA security risk analysis and risk mitigation planning service, and which, if you have not done a full quote, HIPAA compliant, thorough and documented risk analysis, which is one of the foundational requirements of the HIPAA Security Rule you absolutely want and need to do that prior to making a breach report to the OCR.

 

Liath Dalton 

If the results of your security incident investigation are that yes, client information was compromised, then you are going to be filing a breach report. And if you’re filing a breach report, you really want to have as many of your HIPAA ducks in a row as possible when doing so.

 

Evan Dumas 

Of course.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And that’s that’s not just because of the benefits that has in terms of how your report is going to be received, but also because that has practical implications and value in terms of how you’re actually able to shore things up and prevent this sort of impactful thing from occurring again. So it’s not just a kind of like performative thing. It really does translate to greater security, if that’s something that hasn’t been done.

 

Liath Dalton 

And then the other resource that we are including in the show notes is we’ve got an on demand CE training on HIPAA breach investigation and documentation. So that guides you through what all of the particulars of that process entail are, and the differences between a large breach and a small breach and reporting timeframes, and it includes the template for our security incident investigation form, which guides you through all of the pieces to investigate and document. And also includes a notification template for client notification.

 

Evan Dumas 

Mhm, yep.

 

Liath Dalton 

Are there, aside from those resources, any other pieces that we want to talk about in the investigation process or response that folks might overlook or should be aware of, that come to mind for you, Evan?

 

Evan Dumas 

Hmm, I think we covered all the basics. You know, what you discover in your investigation and documentation will also really inform your training going ahead, because, yeah, you may do a yearly training on these topics, but you will want to more regularly tell people about this. If you have a really large group, I mean, any size group benefits from security reminders. Like start a newsletter, if you don’t have one, and tell people these little tidbits here and there in the newsletter, or bring them up at your weekly meetings, of hey, just remember, don’t click bad links. And you know, have these regular things. They also count as training, it’s a requirement for security reminders, to let people know, but your your investigation will really sort of expose what your your gaps are, and you can train around that.

 

Liath Dalton 

Exactly. And just to sort of highlight a point here is there is a whole reason that the training reminders is an actual standard in and of itself within the HIPAA Security Rule. Because a one off training on policies and procedures or the foundational concepts of the HIPAA framework are not sufficient for actual, real world in-practice compliance. So one of the standards is that there have to be training reminders sent on a periodic basis. Of course, they don’t specify the periodicity of that. It’s supposed to be, as with all things HIPAA, “reasonable and appropriate,” but a good cadence is to do at least monthly security awareness reminders and HIPAA training reminders.

 

Liath Dalton 

And those can be short and sweet and to the point, but should be about something that is a real world practice risk, in in your particular practice context. They can be responsive to issues that you’ve identified in in your practice and how your team’s handling info, or they can be more preventative, which is ideal, and based on, you know, things you’re seeing in the news or hearing from other practice owners and colleagues and folks in the community about any sort of breaches or misfortunes security incidents that have occurred for for them.

 

Liath Dalton 

So don’t, I think sometimes practices will be more focused on some sort of annual training requirement than the ongoing piece of the training reminders standard. And I think there’s real benefit to actual like lived compliance and compliant behavior through the reminders and just incorporating that into your general workflow for internal operations and team support.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

Well, we hope you have found this to be helpful, and that you yourself are not listening to this because you are it currently the dealing with a hack. Ideally, this is something that will lead to your being able to prevent this from ever being an issue. But if not, if, if you are listening to this because you’re dealing with this situation, take a deep breath. It can all be addressed and secured and mitigated and prevented from happening again in future.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

I know it can feel absolutely gut wrenching and panic inducing, but it is something that can be managed and addressed. And you know, while it is obviously central to how we view the importance of safeguarding client info, that steps be, all possible steps be taken to safeguard client info, and we know you never want to have to let a client know that their info was compromised.

 

Liath Dalton 

I also want to just sort of contextualize this by saying that, unfortunately, it is so common that people are receiving breach notifications, particularly if they see large medical providers or have been in any sort of like hospital system, that the intensity of emotional response that we might anticipate clients to have is generally nowhere near as kind of devastating as you might anticipate while you’re in the initial midst of trying to deal with a email hack situation.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Yeah. All right, folks, thanks for joining us, and we will talk to you next week.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.