According to HIPAA, the first half of 2019 saw the breach of 31.6 million healthcare records. Cybercrime targeting medical offices has been on the rise, peaking at 2 attempted breaches per day. Because of the sensitive nature of healthcare information, phishing attacks are the most common threat.
What is Phishing?
Phishing is an attempt to convince a computer user to share confidential information. Impersonating an authoritative individual or organization that the user has been dealing with is a common way of doing this.
What Are the Common Signs of Phishing?
Email is a popular phishing tool. Fraudulent emails may display the following signs:
- An intriguing subject line that tempts the users to open the email – alarming phrases like “fraud alert” “free giveaway,” and others may be used to get users’ attention.
- Emails may also contain the company logo and address details that make them look completely legitimate. However, on closer inspection, users may notice slight differences.
- Attached links that lead to fake websites are also common. User information is harvested and used for nefarious purposes in these cases.
3 Common Medical Phishing Schemes
The motive of hacking a healthcare organization is often financial. The industry is worth millions of dollars, hence the frequency of phishing schemes. Hackers often opt for CEO phishing, spear-phishing, or website phishing to dupe medical staff.
1. CEO Phishing
Most phishing schemes involve the impersonation of an authority figure. Hackers will dupe an executive into giving out his login information. They may also hack the system and gain access to executives’ email accounts. They will use this information to impersonate the executive and instruct the staff to take various actions.
In May 2019, Community Psychiatric Clinic (CPC) became aware of a malicious individual impersonating the company’s executives in order to induce a fraudulent wire transfer. The Seattle-based mental health provider reported that the criminal had gained access to one of its employees’ Microsoft Office365 email accounts. The company took swift action, which resulted in the recovery of all funds that had been wired.
2. Spear Phishing
Hackers also often add a personal touch to their emails to ensure their victims have no doubts. Spear phishing is a targeted attack that uses the victim’s name, position, and phone number as well as other work-related details to personalize a fraudulent email.
The goal of this type of phishing is to get the victim to click on a malicious link that will require them to hand over sensitive information. Hackers use multiple data sources to create a fool-proof email that will convince the victim.
3. Website Phishing
The scammers create a fake website that looks authoritative and is unlikely to arouse suspicion. Then, they hack the institution’s network and send out mass emails that require staff to click on a link and head to the website. Information harvested from such an attack can then be used for various nefarious purposes, including being sold on the black market.
How Medical Institutions Can Protect Themselves from Phishing Schemes
To avoid falling prey to such schemes, institutions must:
- Educate their staff, including executives, on how to recognize and then avoid phishing schemes.
- Install a spam filter that detects malicious activity.
- Encrypt sensitive ePHI.
- Enable two-factor authentication to prevent unauthorized access.
- Install browser add-ons that prevent users from clicking on malicious links.
- Update all systems to be HIPAA and HITECH compliant
In addition, institutions can hire an MSP to manage the risks that are presented by phishing attacks. These services ensure that staff is adequately trained to identify and also deal with cybercrime. It would also ensure systems are updated and protected from malicious users.
Hackers can easily take advantage of medical staff through impersonation. The best defense against phishing schemes is having highly trained employees who are able to detect and avoid such attacks. Hiring an MSP is one of the most cost-effective ways of dealing with the ever-present phishing threat.