The onslaught of hackers in healthcare never ceases. Personal Health Information (PHI) is so essential and valuable, it is a tempting target. Even with multi-layered security systems in place, some hackers still slip through. Phishing is currently one of the most popular ways to breach the security layers. It is perpetrated by preying on employees through their email. In a recent survey, 83 percent of physicians have experienced a cyber attack. 55 percent of those incidents were the result of phishing. Everyone who works in healthcare and uses email (which happens to be everyone) needs to understand what phishing is, how to spot it, and how to avoid it.
Phishing is a fraudulent attempt to obtain information from you by appearing as a trusted entity online. Often these are so well disguised that even a cautious person could be deceived. They will entice the intended victim to click a link or enter a password, usually with the goal of installing ransomware. Ransomware is a program that encrypts essential data so that only the hacker can access it. For organizations without a failsafe in place, this blocks access to crucial information until a ransom is paid to the hacker, or a painful, expensive, time-consuming data restoration is performed.
So how do you spot phishing? Be wary of anything that asks you to verify an account or enter any personal information, especially if it is conveying a sense of urgency. It is a common tactic to instill panic to provoke a victim to act quickly without verifying the legitimacy of the source. If the email does not refer to you by name, that may be an indicator. Often a hacker will send out emails to thousands of addresses without knowing the full name of a person, while a legitimate sender with whom you have a relationship will address you personally.
Be aware of links in emails. Hyperlinks are underlined, highlighted words that contain a web address link. You can check a hyperlink by hovering over it and the full URL will appear. If the URL does not match the message or looks suspicious, do not click. Examine the link closely because it may look like legitimate when in fact, it may contain a slight variation. For example, healthinstitution.com could be healthinstitution1.com or healthinstitution.net, a minor variation that is easy to miss, especially in a hurry. If the message appears to be important and from a known source, instead of clicking the link in the email, enter a known URL for the site directly in your browser.
IT departments have checks, such as email filters, in place but phishing attacks are breaking through the barriers at an alarming rate, compromising thousands of patient records as documented on Health IT Security’s website. Be vigilant and take a closer look at unfamiliar emails. Contact your IT department if you come across something suspicious. You may be the last line of defense for your organization.