5 ways to prevent a phishing attack

Published on: 
Medical Economics Journal, March 10, 2019 edition , Volume 96, Issue 5

Strategies to make sure your practice does not fall victim. 

Phishing is a leading cause of data security incidents, and the healthcare industry is the number one target of scammers.

A phishing attack is when someone is tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website or clicking on a link that installs malware. Scammers use information like Social Security numbers and healthcare identification-private details about illnesses, conditions, etc.-to create false identities and fraudulently bill Medicare, Medicaid, and other payers, says Eric Packel, a partner at Baker Hostetler who specializes in privacy, data security and technology issues.

The cost is quite high: An average forensic investigation into a phishing attack costs more than $84,000, with the largest investigations costing nearly $437,000. The average time between the incident and discovery is 66 days, with three days from discovery to containment, and then another 36 days to complete the forensic investigation and notification process. All 50 states have a data breach notice law, which requires providers to notify patients and vendors whose information may have been compromised, as well as HIPAA rules.

So, how can physicians and their staff protect their practices from being compromised? Packel offers the following tips:

1/ Determine which employees are most at risk for clicking on a phishing email. 

“Some companies send out a fake phishing email to test their employees, and those who consistently respond to any phishing emails can get additional education,” Packel says. “You can target your training to the employees who need it the most.

2/ Institute a multifactor authentication process. 


A multifactor authentication process means that not only do people have to enter in their usernames and passwords, after they click on those, they have to put in an additional code. This code could be sent as a text, to another email address, or it could be a keyfob. “It makes it much more difficult for the attacker to get into the system if you have multifactor authentication,” Packel says.

3/ Educate about extra security. 

Work with your informational technology staff or vendor to determine what kind of multifactor authentication process would work best for your practice, and then determine the logistics of installing a system and getting everyone on board. “It’s becoming the de facto standard,” Packel says.  “Here at my law firm, we have multifactor authentication in place, and we’re certainly used to it.”

4/ Stress the importance of safety. 

Expect pushback, especially from higher-level staff, who sometimes feel they don’t have enough time or energy to learn or implement the new system.

5/ Budget accordingly.

There are also costs to installing new technology. “There’s political pushback and financial and technical issues to consider, particularly with larger, more complex organizations,” Packel says. “But certainly the cost of one data security incident could be more than the cost of putting multifactor authentication into place.”