Each time one of your staff members opens an email message, it puts your practice at risk of being hacked. One of the most common types of attacks hackers use is phishing.
Scammers have stepped up their game with new, innovative phishing attempts – and they’re targeting healthcare practices just like yours. According to a report by IBM Security, phishing attacks were the second most common type of healthcare data breach in 2021 and resulted in costs of $4.65 million.
As a medical practice, your risk of getting hit by a phishing attack isn’t just monetary. You store a treasure trove of sensitive personal information on all your patients. If this information falls into the wrong hands, your practice can face several negative consequences, including hefty fines and costly legal action.
Preventing phishing attacks comes down to making sure that you train each and every one of your employees to spot potential scams and what action to take to avoid falling prey to them.
These proven staff prevention measures are essential to protecting your practice from someone innocently opening the wrong email and subjecting you to a phishing attack, giving them access to your most valuable information.
What Is a Phishing Attack?
Scammers use phishing attacks to gain access to information on your computer via email. A successful phishing hack can provide scammers with access to personal information that they can use to steal your identity and money.
A phishing attack can put malware links into an email. Then, if someone from your practice clicks on the link, the malware is downloaded onto your computer. Then, hackers get what they want – the ability to access your information and your patients’ personal data. The worst part about it is that you may not even realize it is happening until it’s too late.
Unfortunately, expecting staff to NEVER click on an email link just isn’t feasible, and hackers know this. To take advantage of this, they make phishing emails look like they come from a person or company that you know and trust, such as a credit card company or common healthcare vendor. Also, these emails can look like they are from a patient disputing a bill or complaining about service.
The trick to protecting your practice from phishing attacks is for everyone at your office to know how to spot suspicious emails.
Outing Suspicious Emails
While identifying phishing emails isn’t an exact science, training your staff to be wary of any outside communications they aren’t expecting is a great first line of defense. Even if being extra cautious leads them to identify emails as being dangerous when they are not, it’s much better to be safe than sorry in the long run.
The Federal Trade Commission (FTC) lists some signs an email you receive may be a scam, including:
- The sender claims they’ve “noticed some suspicious activity” or “suspicious log-in attempts” on your account
- Claim there’s a “problem” with your account or payment information
- Require you to confirm personal information, including your name, home address, or part or all of your Social Security number
- Attach a fake invoice
- Request that you click on a link to make a payment, access a document or confirm personal details
Identifying phishing emails needs to be a priority for everyone in your practice – from physicians to your front desk staff. To make this happen, every employee should receive training on how to identify a potential phishing email attack. It can also be helpful to have a list of phishing warning signs readily available to everyone (all computer workstations, new patient paperwork, your office intranet, employee handbook, a fact sheet in the kitchen, etc.).
Note: New staff who don’t know all the ins and outs of your practice may be more at risk of falling victim to a scammer because they don’t yet know everything about your practice. Accordingly, all new employees should receive training on this critical subject.
Never Click Links
One of the most common ways scammers carry out phishing attacks is by embedding dangerous links or documents into the emails they send. The problem is that banning your staff from clicking any email link just isn’t feasible. Instead, you must ensure they know what to look for and are cautious of any email that contains a link or attachment.
Unfortunately, many people just aren’t careful about what they click in emails they receive, which is exactly what hackers are hoping for. And in the case of your practice, granting a hacker access to your computer could lead to a significant data breach and be financially and legally devastating.
To protect your practice, consider sharing documents through more secure means, such as an intranet system, patient portal or cloud-based document sharing platform such as Dropbox.
An intranet system and sharing platform is a great way for your staff to share access to documents mentioned in an email, and a portal can be a safe way to receive and provide documents with patients.
As part of your employee training, include instructions on how to handle emails that contain links or attached documents. For most people, a little bit of education can go a long way toward keeping your practice safe from phishing attacks.
Report Anything Suspicious
Your practice’s IT team, whether they’re in-house or contracted, are paid to keep things like cybersecurity threats at bay. So, any time your staff receives an email they feel is suspicious, they need to report it.
The easier you make the reporting process for your staff, the more likely they will use it. For example, an online ticketing system or centralized email address where reports of potential scams are sent can be viable options.
Additionally, make it clear that you would prefer that someone over-report than under-report when it comes to your data security. Even if your IT team ends up fielding queries that don’t turn out to be phishing attacks, it will be well worth it when someone does get it right and you avoid a hacker attack.
Add Multi-Factor Authentication
While multi-factor authentication won’t protect your practice from all possible phishing attacks, it will prevent those times when a scammer gets access to someone’s password and attempts to login to their account. If your email client and major systems, such as your patient records system and any billing systems you use, don’t already have multi-factor authentication enabled, now is a great time to get them set up.
Multi-factor authentication adds extra security to important accounts that scammers try to access by requiring two or more credentials to login. These additional credentials fall into two categories:
- Something you know or have – A password or passcode you receive via an authentication app or security key
- Something you are – A scan of your fingerprint, retina, or face.
Some authentication apps link the two credentials together by requiring you to accept the request for login with your fingerprint and then entering the passcode given to you into the app you’re trying to access. In addition, many platforms and email clients either require multi-factor authentication upon setup or have an option in their settings to turn on this extra security feature.
Your practice may not face active threats every day, but that isn’t an excuse to not prepare for problems before they happen. Keep your practice’s computer systems safe with Healthcare Training Leader’s online training, HIPAA and Ransomware: Protect Against Attacks and Violation Penalties. In this 60-minute training, you’ll receive the tools you need to develop and implement a site-specific plan to prevent ransomware attacks before they happen. View this valuable training today. Also, check out all of the HIPAA-related online trainings to get even more advice on how to protect your patient data.
 |
Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. |
|
|
|