be_ixf;ym_202407 d_14; ct_50

Jerris Heaton

Protecting the Healthcare Industry from Advancements in Phishing Scams

April 13, 2022

Clinician, EHR, Information Technology 8 Minute Read

With email used as the most common form of phishing for scammers, how can the everyday healthcare professional protect themselves, their company and patients?

Between disinformation campaigns, imposter social media accounts, identity theft, and malicious links, it’s no wonder the world has trust issues. One of the most common ways that hackers gain access to your secure information is through phishing emails, and they’re getting better at it every year.

Despite advances in anti-virus security programs, phishing attacks continue to increase in number and impact, and the healthcare industry is particularly vulnerable. An easy and scalable way to protect yourself against these attacks is to arm yourself with ways to identify the threats. But first, all healthcare workers must know what a phishing email is, why it matters in healthcare, and tips they can use to recognize an attack.

What are phishing emails?

A phishing email is an email intended on tricking you into performing a specific task. Typically, the attacker will disguise the email using social engineering techniques that make it look harmless, and they will include a link, an attachment, or will ask to provide sensitive information. As soon as you fall for the trick, your personal and professional information are compromised; even worse, your patient health data can be comprised, too.

Since 2012, the Department of Health and Human Services (HHS) has reported a 38% increase in breaches involving email, and a majority of healthcare organizations reported that they noticed an increase in cyber-attacks. In fact, according to Verizon’s data breach investigation report, the healthcare industry experienced more breaches than any sector, with a shocking increase of 71.4%.

The Real Cost of Falling for a Phishing Scam

The reason why phishing scams are so dangerous is because they’re constructed to be convincing to their targets, and as you can imagine, the results can be devasting.

Of course, most phishing emails are trying to gain the victim’s personal financial information. However, there are plenty of cases where scammers are interested in accessing company data or even freezing a hospital’s programs to use as ransomware, which is essentially holding the system hostage until the company pays off the hackers.

Healthcare Phishing, Email Phishing Healthcare

But the list of devastation doesn’t end there. So, why is the healthcare industry especially vulnerable? The answer is simple: patient medical records. Patient data is considered even more valuable than money to criminals because it can be sold on the black market for as much as 50 times more than personal financial information.

According to the HHS office for civil rights, in the last 11 years there was an exposure of more than 175 million patient records thanks to 2,500 breaches.

When these breaches occur, it’s not just a monetary issue, but also a process issue. Doctors, nurses, and administration will then be required to run their operations the old-fashioned way: with pen and paper. Ultimately, no matter how you look at it, falling for phishing scams significantly decreases patient safety, and it’s possible you could be in breach of HIPAA should you fall for these tactics.

Identifying Phishing Attacks

As healthcare entities increase reliance on IT for operations, patients are exposed to cybercriminals more than ever before. It is up to the staff to become familiar with the signs indicating an email is in fact an attack.

Phishing emails are designed to look like they’re from a trusted company or person, like your employer, a popular brand that most consumers use, or even the CEO. For example, it’s possible the scammer gained a list of customers from your bank, and they then created an email that appears to be legitimate with logos, current employee names, and a convincing ‘from’ email address. You will need to be curious, play investigator, and vet each email received in your inbox.

Here are some of the most common ways to identify if an email is a phishing scam:

1. Suspicious or activity or password update

Think about which email you have tied to the account (is it your work email or a personal one?) and when you last logged in directly to the site or utilized the account. Ask yourself: Does the email demand make sense?

2. Urgent call to action or threats

Many scams will require you to click, call, or open an attachment immediately or suffer a penalty. Creating a sense of urgency is a common trick so you won’t have time to think about if it’s a legitimate request — slow down and realize no real organization requires that quick of a turnaround.

3. Generic greeting, like “Hi Dear,” or contains bad grammar and spelling

Since most company’s email tools have automatic spellcheck, emails are typically grammatically correct. If you know the person who it’s from, does the tone of the email sound like something they would send?

4. Inconsistent email addresses, links and domain names

Without clicking or responding to the email, you can check any links and email address by hovering the mouse over a link and clicking the dropdown arrow next to the ‘from’ name. If the email address isn’t spelt correctly or isn’t consistent with the brand and the link’s domain name reads something else, then it is an immediate red flag.

5. Suspicious attachments

Were you expecting to hear from this company or person with an invoice or attached document? Even if it’s from the CEO of your company, look for the signs of malware listed above, and even check directly with the person or a coworker (but do NOT forward it) to see if they indeed sent the email. Commonly associated attachment extensions that have malware are .zip, .exe, .scr, and etc.

6. Too good to be true

Did you enter to win that trip or win that car? If the sender of the email is unfamiliar or you did not initiate the contact in some way, the likelihood is that it is a phishing email.

Healthcare Phishing, Email Phishing Healthcare

What to do if you receive what you believe to be a phishing email:

  1. Do not click on anything, reply to the email, or forward it to anyone.
  2. Check with the sender if you know and trust them.
  3. Report the message to IT or through a ‘phishing’ reporting feature in your email server.
  4. Delete the message once you’ve spoken with IT.

Do your part. Be proactive about protecting your computer or mobile device:

  1. Update your computer regularly to ensure your software is up to date and ensure you’re using your company’s latest security software.
  2. Use trusted websites and apps from the play store. If the app requires you share too many permissions, don’t download it.
  3. When setting passwords, don’t use personal information like your address, phone number or pet’s name. Instead, use phrases with a combination of capital letters, numbers and symbols.
  4. Protect your accounts by using multi-factor authentication.
  5. Be familiar with real-life examples of phishing attacks and keep an eye out in the news for any new trending attacks. It’s likely others are receiving and falling for these same scams and knowing about the attacks ahead of time will help you spot them quicker.

What to do if you’ve been successfully phished:

  1. Immediately tell your boss and IT — they will have a protocol in place to handle these issues.
  2. Write down the details of the attack as best you can recall.
  3. Change all of your passwords.
  4. Report it with the Federal Trade Commission.

Protect your workforce today with ChartLogic’s Managed IT

With 42% of breaches being investigated by HHS starting with an email, it is clear scammers are praying on users’ vulnerability and lack of awareness of their schemes.

ChartLogic manages its client’s staff and technology as if they were our own. Whether you’re a small practice needing minimal IT or a large operation looking to outsource all IT operations, we tailor the right solution for your need and budget. We offer services like IT infrastructures, Service Desk, or a dedicated CIO that can be both onside and/or from a U.S.-based service center.

ChartLogic is passionate about enabling exceptional, protected healthcare. Contact us to learn about your options or fill out our free IT systems assessment today.

Related Posts