HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Common Office 365 Mistakes Made by Healthcare Organizations

An Office 365 phishing campaign has been running over the past few weeks that uses voicemail messages as a lure to get users to disclose their Office 365 credentials. Further information on the campaign is detailed below along with some of the most common Office 365 mistakes that increase the risk of a costly data breach and HIPAA penalty.

Office 365 Voicemail Phishing Scam

The Office 365 voicemail phishing scam was detected by researchers at McAfee. The campaign has been running for several weeks and targets middle management and executives at high profile companies. A wide range of industries have been attacked, including healthcare, although the majority of attacks have been on companies in the service, IT services, and retail sectors.

The emails appear to have been sent by Microsoft and alert users to a new voicemail message. The emails include the caller’s telephone number, the date of the call, the duration of the voicemail message, and a reference number. The emails appear to be automated messages and tell the recipient that immediate attention is required to access the message.

The phishing emails include an HTML attachment which will play a short excerpt from the voicemail message if opened. Users will then be redirected to a spoofed Office 365 web page where they must enter their Office 365 credentials to listen to the full message. If credentials are entered, they will be captured by the attacker. Users are then redirected to the Office.com website. No voicemail message will be played.

This is not the first time that voicemail and missed call notifications have been used as a lure in phishing attacks, but the inclusion of audio recordings in phishing emails is unusual. The partial voicemail recording comes from an embedded .wav file in the HTML attachment.

McAfee reports that three different phishing kits are being used to generate the spoofed Microsoft Office 365 websites, which suggests three different threat groups are using this ploy.

While there are red flags that should alert security-aware employees that this is a scam, unfamiliarity with this type of phishing scam and the inclusion of Microsoft logos and carbon-copy Office 365 login windows may be enough to convince users that the voicemail notifications are genuine.

Common Office 365 Mistakes to Avoid and HIPAA Best Practices

This is just the latest of several recent phishing campaigns targeting Office 365 users and attacks on Office 365 users are increasing. Listed below are some steps that can be taken to reduce risk along with some of the common Office 365 mistakes that are made which can increase the risk of account compromises, data breaches and HIPAA penalties.

Consider Using a Third-Party Anti-Phishing Solution on Top of Office 365

Office 365 incorporates anti-spam and anti-phishing protections as standard through Microsoft Exchange Online Protection (EOP). While this control is effective at blocking spam email (99%) and known malware (100%), it doesn’t perform so well at stopping phishing emails and zero-day threats. Microsoft is improving its anti-phishing controls but EOP is unlikely to provide a sufficiently high level of protection for healthcare organizations that are extensively targeted by cybercriminals.

Microsoft’s anti-phishing protections are better in Advanced Threat Protection (APT), although this solution cannot identify zero-day threats, does not include sandboxing for analyzing malicious attachments, and email impersonation protection is limited. For advanced protection against phishing and zero-day threats, consider layering a third-party anti-phishing solution on top of Office 365.

Implement Multi-Factor Authentication

A third-party solution will block more threats, but some will still be delivered to inboxes. The Verizon Data Breach Investigations Report revealed 30% of employees open phishing emails and 12% click links in those messages. Security awareness training for employees is mandatory under HIPAA and can help to reduce susceptibility to phishing attacks, but additional anti-phishing measures are required to reduce risk to a reasonable and acceptable level. One of the most effective measures is multi-factor authentication. It is not infallible, but it will help to ensure that compromised credentials cannot be used to access Office 365 email accounts.

Check DHS Advice Prior to Migrating from On-Premises Mail Services to Office 365

There are risks and vulnerabilities that must be mitigated when migrating from on-premises mail services to Office 365. The DHS’ Cybersecurity and Infrastructure Security Agency has issued best practices that should be followed. Check this advice before handling your own migrations or using a third-party service.

Ensure Logging is Configured and Review Email Logs Regularly

HIPAA requires logs to be created of system activity and ePHI access attempts, including the activities of authorized users. Those logs must also be reviewed regularly and checked for signs of unauthorized access and suspicious employee behavior.

Ensure Your Emails are Encrypted

Email encryption will prevent messages containing ePHI from being intercepted in transit. Email encryption is a requirement of HIPAA if messages containing ePHI are sent outside your organization.

Make Sure You Read Your Business Associate Agreement

Just because you have obtained a signed business associate agreement from Microsoft it does not mean your email is HIPAA-compliant. Make sure you read the terms in the BAA, check your set up is correct, and you are aware of your responsibilities for securing Office 365 and you are using Office 365 in a HIPAA compliant manner.

Backup and Use Email Archiving

In the event of disaster, it is essential that you can recover your email data. Your Office 365 environment must therefore be backed up and emails containing ePHI and HIPAA-related documents must be retained for a period of 6 years. An archiving solution – from Microsoft or a third-party – is the best way of retaining emails as archives can be searched and emails quickly recovered when they are required, such for legal discovery or a compliance audit.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.