If you’ve sent an email or used a computer during the past 10 years, you’ve likely been the target of a phishing scam. It may have taken the form of a dubious-looking message from overseas royalty asking for your help transferring money to the states, or a convincing email purportedly from your credit card company prompting you to confirm your account information.
Over the past year, several large health care organizations have fallen victim to email phishing attacks, compromising health data for millions of patients. The FBI warned last year that lax IT security has left the health care sector vulnerable to such attacks, according to Reuters.
Medical data fetches high prices on the black market because victims may not realize quickly that their information has been compromised. Also, the data can be used for both financial and medical fraud. For example, a criminal might pose as a specific patient to gain access to his or her prescription for opioids or other controlled substances.
Here’s a look at how to protect your practice from phishing attempts.
How phishing works
Phishing emails are designed to look legitimate and often identify key staffers by their role in the organization, says David Holtzman, JD, a vice president at data security firm CynergisTek. They generally take two forms:
- A request for the recipient to reply with his or her user name, password, or other account access information.
- An email containing links that, when clicked, transmit code allowing hackers to access the target’s email account, network, or computer remotely.
Protecting your data
Raising staff awareness is critical to shutting down attempted phishing attacks, Holtzman says. Here are some tactics:
- If you don’t recognize the sender, don’t open attachments or click on links within the email.
- Don’t interact with email offers that sound too good to be true.
- Remember that no one connected with your organization will ever send a message asking you to confirm your user name, password or account number.
- If an email sounds suspicious, search online to see if it’s part of a known phishing scam.
- Hire an outside firm to conduct a phishing exercise to learn which team members might engage with suspicious messages. Provide training on recognizing phishing emails and consider monitoring individuals who might be susceptible to scammy communications.