Here’s how to prevent phishing attacks on your medical practice

The illegal business of malicious cybercriminals is profitable and growing at an alarming rate, and the healthcare segment is a top target.

It is a recurring topic people hear in the daily news — data breaches, credit card hacks, stolen identities, ransomware and the devastating impact of cybercrime. Unfortunately, the illegal business of malicious cybercriminals is profitable and growing at an alarming rate, and the healthcare segment is a top target. Phishing is one of the most common lures used to find vulnerabilities and break into highly sensitive systems, and healthcare practices must understand the threats and prepare for an inevitable attack.

What is a phishing attack?

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), phishing attacks use email or malicious websites that solicit personal information by posing as a trustworthy organization. CISA testing has found that email phishing is the number one method for gaining access to a private network. Typically, phishing emails are expertly designed to trick people into giving up personal and online account information. The solicitations may appear to come from reliable organizations, such as banks, utilities or charities, or can take advantage of current events and certain times of the year, such as natural disasters, epidemics and health scares, political elections or even holidays.

Why healthcare is a huge target

Phishing attacks target a broad spectrum of private and public entities, but research from a Texas State University reportfound that an individual’s medical information is 20 to 50 times more valuable to cyberactors than personal financial information. The relative value of health records may seem surprising when compared to a person’s private banking or credit data, but access to medical information can enable identity theft, medical fraud, extortion and even the path to illegally obtaining controlled substances.

The numbers are clear and frightening – there has been a sharp increase in healthcare data breaches in recent years, and the trend is expected to continue. The statistics from the 2022 Healthcare Cyber Trend Research Report cite:

  • More than 521 major hacking/IT breaches
  • A year-over-year increase of 25.24%
  • 43,096,956 impacted individuals
  • 141 of the 521 breaches began with a malicious email

Email ranks as the most common attack

Email has become such a widely used and convenient communications tool. In healthcare, it now presents huge security challenges as email cyberattacks become more frequent, targeted and sophisticated. Not only is patient privacy at risk, but lifesaving care may be compromised, and a practice’s business and adherence to HIPAA regulations can also be impacted. Verizon’s 2021 Data Breach Investigations Report states that phishing and cloud-based email attacks are the most common social engineering techniques utilized today.

How does social engineering come into play? Healthcare staffers are the lifeblood of the business, but in the cyberworld, they can also be the weakest security link at a practice. After all, they are human. According to HealthData Management, less than 1% of cyberattacks in 2019 exploited a hardware or software vulnerability; 99% utilized some form of human intervention. An inadvertent mouse click on a phishing email might only shut a system down temporarily, but at worst, it may expose protected healthcare information (PHI) and create a systemwide breach. That potential could mean a practice could face a HIPAA violation and related fines, extensive downtime, significant recovery costs, furious patients and even lawsuits.

How to protect email and meet HIPAA standards

Ensuring a practice has email security is most easily achieved with a HIPAA compliant email service. The HIPAA Security Rule specifies that reasonable and appropriate administrative, physical and technical safeguards are required to be in place to protect patient privacy. For example, covered entities must implement procedures around the use, disclosure and access to PHI. Any policy should include contingency plans in case a breach does occur, as well as the proper method for removal and/or disposal of PHI.

Every organization will need to assess the right mix of email security protocols for their situation and create a security plan. It is up to each practice to understand and correctly implement cybersecurity measures to ensure HIPAA compliance, such as:

  • Email gateways
  • Multi-factor authentication
  • Data loss prevention (DLP)
  • Email encryption (in transit and at rest)
  • Inbound email filters
  • Employee training

Email technology can improve security

Many healthcare practices are implementing email security solutions to help ensure HIPAA compliance and tighten up email security overall. When reviewing the options, the fundamental need is an email technology system that will automatically encrypt every sent email between the sender and receiver, removing the risk of outbound employee error. Another important feature is an email service that will protect against inbound email security threats, with proactive features that stop malicious emails from reaching an inbox while also blocking common phishing attacks like display name spoofing. Finally, a strong email solution should work with the existing email platform, providing top-notch security that is still easy to use with no extra passwords, portals or logins required.

Just as healthcare practitioners can expect a full email inbox each morning, they should also expect phishing attacks to be lurking around the corner. With a strong email security plan, employee training and the latest email security technology, every practice can minimize the potential for a data breach and keep communications and workflow moving smoothly.

Shawn Dickerson is Vice President of Marketing for Paubox, a leader in HIPAA compliant email and marketing solutions for healthcare organizations.