Guarding Your Medical Practice Against Phishing Scams, Social Engineering, and Cybercrime

Episode 43: Guarding Your Medical Practice Against Phishing Scams, Social Engineering, and Cybercrime

In a world where almost everything has moved online, cybersecurity is a topic that no one in healthcare can afford to ignore. Whether you’re a solo practitioner or part of a large medical group, understanding how to protect your practice from phishing scams, social engineering, and other cybercrimes is crucial.

Cybersecurity is a hot topic, especially considering how healthcare organizations are often the primary targets for various cyber threats. Our EMRs are great targets for hackers, as they contain all kinds of information like dates of birth, social security numbers, and other data points that are valuable to people on the dark web who are looking to perpetrate identify theft crimes. The information stored within medical practices is extremely sensitive. We’re talking about patient records, billing information, and even insurance details. And, since healthcare providers are often focused on patient care, this may leave little time to devote to issues like cybersecurity, making them easier targets. Another risk factor for medical practices as we’ve said many times, the amount of money flowing through the average medical practice makes you especially vulnerable to hackers and thieves.

So what types of cyber threats should healthcare professionals be on the lookout for?

There are several, but the most common ones include:

• Phishing Scams: Emails disguised as legitimate messages, but that in fact are designed to entice you to share sensitive information with a hacker.
• Ransomware Attacks: In this scenario, the hackers install a type of malware that encrypts files on your system so you cannot use it, and then they demand a ransom for their release.
• Social Engineering: This involves manipulative tactics like cloning your email so the hackers can trick your employees into divulging confidential information or paying fictitious bills that go straight into their bank account.
• Data Breaches: This is when the hackers gain unauthorized access to confidential patient information, often with the intent to sell the data on the black market.

So let’s talk about how to protect your medical practice from hackers. There are some easy internal controls and steps that physicians and clinic leaders can put into place to safeguard their systems and their money.

First and foremost, educate your staff. A majority of cyber-attacks are successful because of human error. Regular training can make your employees aware of the risks and help them recognize suspicious activities. I make a point of forwarding any phishing emails I receive to our entire team from time to time, just to show them the latest and greatest examples of phishing, so they can delete them if they receive a similar one. It should be noted that a few years ago, you could spot a phishing email miles away with all of the misspellings and grammatical errors. Not so anymore. Keep an eye out!

Multi-Factor Authentication (MFA) is another strong strategy. And yes, I can hear your sigh! Sometimes it feels like we need eighteen different logins and passwords and passcodes just to get into our system to begin work. And it’s our reality given the sensitivity of the data we are entrusted with. Implementing MFA adds an extra layer of protection. Instead of relying solely on passwords, MFA requires additional verification, like a phone number or biometric data. I especially like biometric data, as it’s hard to fake, and I generally always have my thumbprint handy.

It should go without saying that we should always have secure networks and devices. When was the last time your group’s IT infrastructure was reviewed and perimeter testing was completed? If you can’t remember, it’s likely time to call your IT person. Please ensure that your WiFi networks are secured and all devices used for work are encrypted. If you’re offering WiFi for patients or guests to use, ensure that is on a separate network. This adds another layer of security that can deter cybercriminals.

Aside from conducting regular security audits to identify vulnerabilities, please ensure that all essential data is backed up in a secure, offsite location on a daily basis, or some groups have mirrored servers offsite that keep an ongoing copy of everything that’s happening on the servers in real time. This can help tremendously with ransomware and malware attacks.

One internal control that is often overlooked is the simple restriction of access. Best practice is to restrict access to sensitive data only to those who absolutely need it for their job functions. The fewer people who have access, the less chance there is for information to be leaked or stolen. We go into many clinics who have not cleaned up their domain security for several years. We find old employees who left years ago and people whose roles have changed, but their access has not. In some cases, we see people with very little responsibility at the clinic having the keys to the entire kingdom! Please, lock it down. And please make sure that one of the practice owners always has super admin rights so that you cannot be held hostage by a disgruntled IT person who may be on their way out.

One of the most effective, low-tech solutions to all of this is to talk to each other! Or at least, take it out of the email domain. If something smells funny, send a text about it to verify that it’s legit. Or, find your coworker in the hall and verify. Or, if you work remotely, make an old-fashioned phone call to double check that the new vendor in the email is actually one the group wants to pay! I’ve mentioned in previous episodes that we have a client who was a victim of a clever social engineering scheme. The hackers cloned one of the physicians’ email addresses and sent several bogus invoices to the accounts payable clerk. She is a kind, gentle person who would never think to question the doctors. So, she paid about $120,000 worth of invoices to fictitious vendors over several months before the theft was caught. She thought she was doing the right thing.

So, given all of this risk, we’ve also seen a rise in cyber insurance products on the market, and a rise in training for groups about the various cyber security threats. As we mentioned in Episode 30, cyber insurance can act as a financial safety net in case you do become a victim of a cyber-attack. It’s not a replacement for robust cybersecurity measures, but it is an added layer of protection for your group. Your medical malpractice coverage will include some cyber liability insurance, but it generally a small amount and will not go far in protecting you if your practice sustains a big hack.

In closing, I have to say that I always wish the hackers would use their powers for good! What a world we would have. And, until they do, knowledge is the first line of defense against any cyber threat. Educate your staff, tighten your internal controls, and never underestimate the ingenuity of cybercriminals. Prevention is better than cure, especially when it comes to protecting the sensitive data that our patients share with us. We owe it to them to do our best to safeguard their data.

Thanks for joining me today – be sure to Follow or Subscribe to get future episodes delivered automatically. Join me for our next episode, where I’ll be talking about clawing back at insurance clawbacks and what happens when the insurance companies pull back money they’ve already paid you and what you can do about it.