Phishing is a type of cyberattack using email to trick someone into divulging personal information, including passwords. Health care phishing is growing because of the value of health care data coupled with the fact that everyone in a medical practice has an email and can be a target.
In a phish, the attacker masquerades as a reputable entity or person, via email or other communication channels, and asks for valuable information (eg, credentials, usernames, passwords, and even social security numbers). To make matters worse, phishers often present the request as an urgent need for the targeted user to protect themselves by sharing this information. Alternatively, a phisher may ask the user to click a link, which then downloads and installs malware
Social Media Is Often Used
Phishers often use social media networks (eg, Facebook, Twitter, and LinkedIn) to find information about a practice’s employees, including personal and work history, interests, friends, education, organizations, and activities. With this information, the phishers can craft very believable emails targeted to specific employees in the practice.
Sometimes, attackers launch spear-phishing attacks against physicians or the practice manager. If they can penetrate the network, the attackers can lay low for months collecting data on email flows. Once they have enough information, they pose as a physician or practice manager to carry out their attack.
Learn more about how social media is used in phishing attacks in the video below.
Awareness Helps You Protect Yourself
Although steps can be taken (see our Cybersecurity Guide), there is no single answer to stop or prevent phishing. The first line of defense is educating everyone in the practice on how to recognize phishing. Here are several clues.
- The recipient uses a Gmail or other public email address rather than a corporate email address
- The message is written to invoke fear or a sense of urgency
- The emails ask you to confirm personal information such as social security number or credit card number
- An email that appears to be from Amazon, FedEx, or UPS about a package delivery that you are not expecting
- The message includes a request to verify personal information, such as financial details or a password
- The message is poorly written and has spelling and grammatical errors
- There is a suspicious and unexpected attachment from someone out of the blue The email address does not look genuine–it has subdomains, misspelled URLs, variations of well knows URLs, or otherwise suspicious URLs
If you are ever uncertain about an email, ask a coworker what they think about it. It is better to take a few minutes to make sure the email is legitimate. In addition to the tools in our Cybersecurity Guide, antispyware software and anti-phishing toolbars that can be installed in web browsers, can be helpful in preventing phishing.
There are also several internet resources that provide help in combating phishing. The Anti-Phishing Working Group and the US federal government’s OnGuardOnline.gov website provide advice on spotting, avoiding and reporting phishing. Interactive security awareness training aids, such as Wombat Security Technologies’ Anti-Phishing Training Suite or CoDefense, can help teach employees to avoid phishing. Sites like FraudWatch International and MillerSmiles publish the latest phishing email subject lines circulating the internet.
Protecting your practice from phishing (along with other cyberthreats) is a complicated and full-time job beyond the capabilities of most practices. Although there are cybersecurity tasks that can be handled within the practice (eg, training and setting up a security plan), hiring an outside IT firm to manage your network security is well worth the money in the long run.
To learn more about Cybersecurity and Using Health Care IT, join us on Facebook, Twitter, and LinkedIn.
Cybersecurity Guide Available to Members of Smart Business Great Medicine.
