April 13, 2022
With email used as the most common form of phishing for scammers, how can the everyday healthcare professional protect themselves, their company and patients?
Between disinformation campaigns, imposter social media accounts, identity theft, and malicious links, it’s no wonder the world has trust issues. One of the most common ways that hackers gain access to your secure information is through phishing emails, and they’re getting better at it every year.
Despite advances in anti-virus security programs, phishing attacks continue to increase in number and impact, and the healthcare industry is particularly vulnerable. An easy and scalable way to protect yourself against these attacks is to arm yourself with ways to identify the threats. But first, all healthcare workers must know what a phishing email is, why it matters in healthcare, and tips they can use to recognize an attack.
A phishing email is an email intended on tricking you into performing a specific task. Typically, the attacker will disguise the email using social engineering techniques that make it look harmless, and they will include a link, an attachment, or will ask to provide sensitive information. As soon as you fall for the trick, your personal and professional information are compromised; even worse, your patient health data can be comprised, too.
Since 2012, the Department of Health and Human Services (HHS) has reported a 38% increase in breaches involving email, and a majority of healthcare organizations reported that they noticed an increase in cyber-attacks. In fact, according to Verizon’s data breach investigation report, the healthcare industry experienced more breaches than any sector, with a shocking increase of 71.4%.
The reason why phishing scams are so dangerous is because they’re constructed to be convincing to their targets, and as you can imagine, the results can be devasting.
Of course, most phishing emails are trying to gain the victim’s personal financial information. However, there are plenty of cases where scammers are interested in accessing company data or even freezing a hospital’s programs to use as ransomware, which is essentially holding the system hostage until the company pays off the hackers.
But the list of devastation doesn’t end there. So, why is the healthcare industry especially vulnerable? The answer is simple: patient medical records. Patient data is considered even more valuable than money to criminals because it can be sold on the black market for as much as 50 times more than personal financial information.
According to the HHS office for civil rights, in the last 11 years there was an exposure of more than 175 million patient records thanks to 2,500 breaches.
When these breaches occur, it’s not just a monetary issue, but also a process issue. Doctors, nurses, and administration will then be required to run their operations the old-fashioned way: with pen and paper. Ultimately, no matter how you look at it, falling for phishing scams significantly decreases patient safety, and it’s possible you could be in breach of HIPAA should you fall for these tactics.
As healthcare entities increase reliance on IT for operations, patients are exposed to cybercriminals more than ever before. It is up to the staff to become familiar with the signs indicating an email is in fact an attack.
Phishing emails are designed to look like they’re from a trusted company or person, like your employer, a popular brand that most consumers use, or even the CEO. For example, it’s possible the scammer gained a list of customers from your bank, and they then created an email that appears to be legitimate with logos, current employee names, and a convincing ‘from’ email address. You will need to be curious, play investigator, and vet each email received in your inbox.
Here are some of the most common ways to identify if an email is a phishing scam:
1. Suspicious or activity or password update
Think about which email you have tied to the account (is it your work email or a personal one?) and when you last logged in directly to the site or utilized the account. Ask yourself: Does the email demand make sense?
2. Urgent call to action or threats
Many scams will require you to click, call, or open an attachment immediately or suffer a penalty. Creating a sense of urgency is a common trick so you won’t have time to think about if it’s a legitimate request — slow down and realize no real organization requires that quick of a turnaround.
3. Generic greeting, like “Hi Dear,” or contains bad grammar and spelling
Since most company’s email tools have automatic spellcheck, emails are typically grammatically correct. If you know the person who it’s from, does the tone of the email sound like something they would send?
4. Inconsistent email addresses, links and domain names
Without clicking or responding to the email, you can check any links and email address by hovering the mouse over a link and clicking the dropdown arrow next to the ‘from’ name. If the email address isn’t spelt correctly or isn’t consistent with the brand and the link’s domain name reads something else, then it is an immediate red flag.
5. Suspicious attachments
Were you expecting to hear from this company or person with an invoice or attached document? Even if it’s from the CEO of your company, look for the signs of malware listed above, and even check directly with the person or a coworker (but do NOT forward it) to see if they indeed sent the email. Commonly associated attachment extensions that have malware are .zip, .exe, .scr, and etc.
6. Too good to be true
Did you enter to win that trip or win that car? If the sender of the email is unfamiliar or you did not initiate the contact in some way, the likelihood is that it is a phishing email.
What to do if you receive what you believe to be a phishing email:
Do your part. Be proactive about protecting your computer or mobile device:
What to do if you’ve been successfully phished:
With 42% of breaches being investigated by HHS starting with an email, it is clear scammers are praying on users’ vulnerability and lack of awareness of their schemes.
ChartLogic manages its client’s staff and technology as if they were our own. Whether you’re a small practice needing minimal IT or a large operation looking to outsource all IT operations, we tailor the right solution for your need and budget. We offer services like IT infrastructures, Service Desk, or a dedicated CIO that can be both onside and/or from a U.S.-based service center.