So, no fooling—it's time to make sure that your organization, and those of your business associates—are practicing "safe email."
Increasingly, we will see insidiously intelligent attacks on healthcare. Bad guys can guess at org charts for most healthcare organizations by searching for companies and job titles on LinkedIn. Other baddies masquerade as a company's IT support department, offering bogus expanded mailboxes or benefits enrollments—anything to get you to click.
Time and again, the technology industry has assured us that communications would be secure one day. Up to this point, the best the industry's been able to do is to direct us to secure Web portals. Meanwhile, the everyday email we use remains unsigned, unauthenticated, unencrypted, and open to the same sorts of phishing attacks effective during the better part of the past 20 years.
So, what can be done? In the past year, the Domain-based Message Authentication, Reporting and Conformance specification has become a force for positive change in the phishing war. DMARC lets senders and recipients exchange email authentication between themselves.
If your healthcare organization sends any email, or contracts with an organization that sends email in your name, and you haven't implemented the DMARC standards yet, there's a free set of training videos available. It's one of the best ways to immediately step up your response to the new HIPAA regulations.
Now let me scare you a little bit. Facebook is in the process of gradually rolling out a new form of search known as Graph Search. While there may be good reasons for Facebook to expand the search capabilities of that system, according to industry experts, Graph Search will be "a phisher's best friend."