For several decades now, email phishing scams in healthcare have become more and more prevalent. A phishing attack is when someone is tricked by an email into providing access credentials to protected information. The scammer requests that the target click on a link to a fake website, which gives the unauthorized party access to this information or installs malware on the target’s system. For healthcare practices, falling victim to a phishing scam can compromise patient health data.
According to the Department of Health and Human Services (HHS), breaches involving emails since 2012 has increased by 38%. These scams can negatively affect your practice in many ways. Phishing emails can obtain both a victim’s personal information and in some cases, your practice’s data. Scammers may also freeze a practice’s programs as ransomware. In that case, a hacker may be needed to restore its function. Patient medical records in particular are extremely vulnerable and are valuable for scammers, as they can be sold on the black market. And if a data breach happens, all 50 states have laws that require providers to notify patients and vendors whose information may have been compromised. A data breach can result in HIPAA issues as well.
Phishing scammers can use Social Security numbers and private information about illnesses, conditions, etc. to create false identities and fraudulently bill Medicare, Medicaid and other payers. Scammers can even change the direct deposit for employee compensation to out-of-the-country accounts.
This is scary stuff for physicians and teams, but if well prepared to identify cyber-security threats and protect data, the chances of getting caught in a phishing scam go down drastically. What can you do in your practice to keep your information safe?
Look for Signs of a Phishing Email
Phishing emails will often be from a name you may recognize, but the email it’s coming from will typically not be recognized. These emails will ask you to click on a link or call a phone number. They may also have a suspicious email attachment (which should not be opened). Phishing emails often have bad grammar and a common greeting.
Implement Software Security and a Multifactor Authentication Process
Update your systems with the latest security software. A multifactor authentication process requires team members to enter their usernames and passwords, as well as an additional code. This code could be sent as a text or to another email address. If you don’t already, you can consider using an electronic health record (EHR) system, which can offer strong encryption and HIPAA compliance for data security.
Educate Your Team About Cyber Security
If you have IT staff members or work with an outside vendor, partner with them to educate other team members on email and system security best practices. Team members should be educated to open only trusted websites and use strong passwords for maximum protection. If implementing a multifactor authentication process or other system security measures, take this time to educate on best using these new system additions too.
Test Your Team with Fake Phishing Emails
Some companies send out fake phishing emails to test which of their team members will fall for them. For those team members that click on a link or respond to the email, make sure they have extra education when it comes to cyber security.
Patients nowadays are already nervous about other forms of cyber and identity theft. By taking the necessary steps to protect your systems and educate your team on best security practices, you can help keep your protected health information safe – for the benefit of your practice and patients.
Need help with your data and system security? We’re always a phone call or click away to support your needs. Schedule a consultation with one of our practice management experts today.