5 ways to avoid a phishing attack at your medical practice

A new study reports that phishing remains the leading cause of data security incidents for the third straight year, and the healthcare industry is the number one target of scammers.

According to the report, issued by BakerHostetler, 34 percent the data security incidents they managed last year involved phishing, and more than a third-35 percent of their clients-were in the healthcare industry. “It definitely is a huge problem,” says Eric Packel, a partner in the firm who specializes in privacy, data security, and technology issues. “There’s not a week, not a day, that goes by that I don’t get another request on a phishing incident for a client. The healthcare industry may be more of a target because healthcare information stays with (people).”

A phishing attack is when someone is tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website or clicking on a link that installs malware.

The cost is quite high: An average forensic investigation into a phishing attack costs more than $84,000, with the largest investigations costing nearly $437,000. The average time between the incident and discovery is 66 days, with three days from discovery to containment, and then another 36 days to complete the forensic investigation and notification process. All 50 states have a data breach notice law, which requires providers to notify patients and vendors whose information may have been compromised, as well as HIPAA rules.

Particularly, Packel says, phishing scammers use information like Social Security numbers and healthcare identification-private details about illnesses, conditions, etc.-to create false identities and fraudulently bill Medicare, Medicaid, and other payers.  Sometimes, they’ve even changed the direct deposit for employee compensation to out-of-the-country accounts.  “If the employee uses the same credentials in different applications (at work) and these credentials are given up in the phishing attack, then the attacker can go to the benefits system and redirect their paychecks,” Packel says.

According to the report, both sophisticated and unsophisticated hackers use phishing to obtain direct network access, convince employees to wire money, enable remote access with compromised credentials, or deploy malware and ransomware. “If you haven’t been targeted, you will be,” he says. “It’s not a matter of if, but when.”

One of the challenges for physicians and healthcare providers is that any employee, from the CEO down to temporary office workers, can be victimized. “As a matter of fact, when it comes to organizations, it’s the higher-level employees who are more likely to respond to these phishing emails because they’re so busy,” Packel says. “It’s not the lower level employees or the less sophisticated employees. We’ve seen many physicians respond to these emails simply because they’re so busy, and they just want to move stuff along.”

Often, it’s not just one physician within a practice responding to a hacker’s email. “I’ve had as many as 39 to 40 physicians respond to a phishing attack, and that single attack could mean tens of thousands, if not hundreds of thousands of emails to parse through to determine what’s in there,” Packel says.

And it’s not just the larger healthcare organizations, which are targeted. “Think about it this way,” Packel advises. “Smaller providers might not have as many sophisticated defenses, technically or otherwise, and smaller providers are sometimes easier targets.”

While some hackers are unsophisticated-think of the Nigerian prince emails-many are more sophisticated, and the emails they send and the websites they link to are nearly identical to real websites that might be portals for insurance companies, etc.

So, how can physicians and their staff protect their practices from being compromised? Packel offers the following tips:

1. Determine which employees are most at risk for clicking on a phishing email. “Some companies send out a fake phishing email to test their employees, and those who consistently respond to any phishing emails can get additional education,” Packel says. “You can target your training to the employees who need it the most.

2. Institute a multifactor authentication process. A multifactor authentication process means that not only do people have to enter in their usernames and passwords, after they click on those, they have to put in an additional code. This code could be sent as a text, to another email address, or it could be a keyfob. “It makes it much more difficult for the attacker to get into the system if you have multifactor authentication,” Packel says.

3. Educate about extra security. Work with your informational technology staff or vendor to determine what kind of multifactor authentication process would work best for your practice, and then determine the logistics of installing a system and getting everyone on board.  “It’s becoming the de facto standard,” Packel says.  “Here at my law firm, we have multifactor authentication in place, and we’re certainly used to it.”

4. Stress the importance of safety. Expect pushback, especially from higher-level staff, who sometimes feel they don’t have enough time or energy to learn or implement the new system.

5. Budget accordingly. There are also costs to installing new technology. “There’s political pushback and financial and technical issues to consider, particularly with larger, more complex organizations,” Packel says. “But certainly the cost of one data security incident could be more than the cost of putting multifactor authentication into place.”