Recently, a health care center was fined $400,000 by the Office for Civil Rights, the enforcement agency for HIPAA, when a hacker accessed employees’ email accounts and obtained protected health information on 3,200 individuals through a successful phishing attempt.
Information available on computers and personal devices can be compromised through phishing, the fraudulent use of emails that entice users to provide confidential information or click on links that appear familiar and safe. According to the Johns Hopkins Privacy Office, Johns Hopkins’ email users are frequently targeted for phishing attacks, so faculty members, staff members and students need to be on guard to ensure that our electronic systems remain secure.
Read through a few tips to help keep your information and our patients’ information safe:
1. Don’t click on links from unfamiliar email addresses. Phishing emails can come from a JHED user whose system has been compromised. If you receive a suspicious email, send it to spam@ jhu.edu. Do not forward the email to your co-workers or colleagues.
2. Know your websites. Clever hackers can create phony messages, such as “verify your account” or “log-in,” or websites that have a familiar look and feel that encourage you to provide credentials and/or click on links that install malware. Never provide credentials or personal information in response to an inquiry you receive by email.
3. Use common sense. Read emails in their entirety. If you see many misspellings, phony or suspicious looking URLs or email addresses, or any promise of riches and inheritance, it is likely a scam. Do not click on any links and instead send the email to firstname.lastname@example.org.
In order to further educate the Johns Hopkins workforce about phishing, IT@Johns Hopkins conducted several phishing simulations last year with encouraging results. An email containing a fake login page was sent to over 51,000 Johns Hopkins email addresses, and about 10 percent of those users clicked the link. Those who clicked on the link received re-education on phishing, and then a retest was later sent to them with another fake login page. The results were promising: 81 percent did not fall for the scam a second time. These themes will continue to vary and users can expect to receive more simulations as educational efforts continue.
For more information, visit the Johns Hopkins Privacy Office intranet site at insidehopkinsmedicine.org/ privacy_office.