AOA cautions in light of latest cybersecurity breach

In late February, Change Healthcare, a unit of UnitedHealth Group (UHG), sustained an unprecedented cybersecurity incident that impacted care operations across the country. While the Department of Health and Human Services (HHS) made clear its expectation that UHG do everything in its power to ensure continuity of operations for all impacted providers, HHS also announced immediate steps that the Centers for Medicare & Medicaid Services will take to assist providers in serving patients.

The AOA continues to request that HHS release timely information and make available federal support for impact doctors. Additionally, the AOA shares the following resources and information that may be helpful to AOA members:

• Change Healthcare Status Updates
• Palmetto Medicare Contractor Guidance
• Joint FBI, CISA and HHS Cybersecurity Advisory

Ways to prevent falling victim to email scams 

Advanced spear-phishing scams are a very real, commonplace threat, and unfortunately easy to overlook. That's why the  FBI's IC3 offers tips for avoiding these deleterious emails:  

1. Be suspicious. Most email users know not to open or engage spam email, but spear-phishing scams masquerade as a familiar entity. Therefore, take a skeptical approach to any unsolicited email, especially those asking for personal, financial or network security information. Be wary of free, web-based email accounts that are more susceptible to hacking. Also, be skeptical of emails that request secrecy or pressure you to act quickly. 
    
2. Keep confidential information confidential. Personal, financial or network security information that falls into the wrong hands can cost you and your business dearly. Stolen Social Security numbers can be used to open lines of credit or to file fraudulent tax returns, while compromised network security information in a medical practice exposes ePHI and can be a violation of the HIPAA Security Rule.    
    
3. Be wary of links, web addresses. Spear-phishing scams often mimic trusted parties by making miniscule changes in email extensions or links. For example, a schemer may use the exact same email as a known user, but change .com to .co and alter the account display name to read from a known party. Advanced attacks may even borrow a company logo or header to appear official and avert attention away from an altered extension. Such was the case with a phishing attack posing as communication from the Department of Health and Human Services Office of Civil Rights. 
    
   The goal of these realistic emails is to elicit an action, be it divulging confidential information or persuading a user to click a deceptive link. This link may take users to a familiar, look-alike site that requires security information, such as an online banking account. Once users enter their login credentials, the scammer can hack the account and continue spreading the malicious email. Always compare the link in an email to the link you're directed to, and visit the official website instead of clicking on the link in an unsolicited email. 
    
4. Make contact. Don't hesitate to reach out to the actual business or entity that supposedly sent the email to verify its validity. This quick, simple step could easily expose an email scheme for what it is, and alert you to malicious addresses, links or fraudulent email addresses.    

Learn about cyberliability insurance and compliancy solutions from AOAExcel endorsed business partners.