Phishing is one of the most common ways hackers attempt to illegally access protected healthcare information. Regardless of your practice size, specialty, or area, your business could be targeted. 

Phishing is a serious threat and can lead to reputation loss, litigation, and fines. Luckily, there are simple steps you can take to lower your risk of a successful phishing attack at your practice. 

What Is Phishing?

A typical phishing attack involves an email sent to an unsuspecting person that includes an infected link or attachment. You may be asked to enter credentials into the link, allowing the attacker to gain access to sensitive information. Attachments will likely be infected with some form of malware.

Typically, the victim is not specifically selected (unlike spear phishing). Instead, the attacker sends thousands, or even millions, of messages with no knowledge of the recipients. Even small practices are targets. 

The three most common phishing themes for healthcare organizations are*:

1. Fake payment notifications
2. Alerts of new messages
3. Fake invoices 

Additionally, phishing can be very costly. In 2015, a phishing attack on Anthem led to a breach of 78.8 million records. As a result of this single attack, Anthem paid a $16 million settlement to resolve HIPAA violations and $115 million to settle a class action lawsuit filed by breach victims. To learn more, read about HIPAA settlements.

The best defense against a phishing attack is a well-educated and diligent staff.

How Can I Protect Myself?

1. Be wary of emails. Scrutinize every email you receive, whether personal or professional. Review emails with links or attachments very carefully.
2. Check the email sender. SANS recommends the sender’s address should be checked. If it comes from a personal account, like Gmail or Hotmail, it could be an indication of an attack. Be cautious with emails even from people you know, as their credentials or device may be compromised. If you receive a link or attachment that you were not expecting, the best practice is to confirm the legitimacy of the message by phone.
3. Look for personalization. An email that does not address you by name should be viewed as suspicious. According to SANS, you should ask yourself if you are expecting an email from the company the email is supposedly from.
4. Hover over links. If the email contains a link, hover over the link without clicking it to see the destination of the link. You can use that information to help determine if the link is legitimate.
5. Educate your staff and colleagues. You might have technology in place, like email filtering or anti-virus software, but those are not always effective in stopping a phishing attack.

The best defense against a phishing attack is a well-educated and diligent staff. It only takes a small mistake by a well-intentioned staff member to lead to a data breach and possible HIPAA violations. 

*According to Cofense’s 2018 State of Phishing Defense Report.

This article does not, and is not intended to, constitute legal or compliance advice, but is for general informational purposes only. You should contact an attorney to obtain advice with respect to any legal matter, including those related to topics covered in this article. No reader of this article should act or refrain from acting on the basis of information contained in this article without first seeking legal advice from counsel in the relevant jurisdiction. 

Looking for more security tips?

If you found this post useful, here’s another blog post you may like:
• The Secret to Successful Treatment Reviews: Treatment Plans, and the Language of Medical Necessity