By: Robert McDermott, President and CEO, iCoreConnect
Do you feel like you’re hearing a lot about ransomware, phishing and hacking these days? You’re not imagining an increase in these buzzwords. They’re popping everywhere: news media, compliance reports, technology and trade journals, and the list goes on. It’s important to recognize that these words are more than just the latest media buzz. They’re real threats.
Cybercrimes remain a problem for dental and medical professionals with little sign of going away anytime soon. The primary ways your practice can be compromised are through your IT infrastructure and your email. The weakest link in the chain, however, is people.
Criminals have become quite effective at using malicious email to exploit human vulnerability and gain access to protected health information (PHI). When an email comes in posing as a trusted source like a bank, an online payment site or even a social networking site, your staff needs to know what to do … and what not to do. Every day, cybercriminals successfully steal everything from patient and insurance records to passwords, social security numbers, credit card information and account numbers. These kinds of attacks are called “phishing.” They are designed to get you to click a link, call a number or respond with personal information.
Educate your staff on what to look for in a phishing attack. The Federal Trade Commission’s Consumer Division explains that phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. These emails may:
- say they’ve noticed some suspicious activity or login attempts.
- claim there’s a problem with your account or your payment information.
- say you must confirm some personal information.
- include a fake invoice.
- want you to click on a link to make a payment.
- say you’re eligible to register for a government refund.
- offer a coupon for free stuff.
As a dental health provider, confirm that every email with any connection to PHI, payments, passwords or other sensitive information is being sent through a secure, HIPAA-compliant email service.
Not sure how to know? Check to make sure your secure email service uses its own private network to transmit messages, not the public internet. You also will know if your email is fully secure and compliant based on the way email communication is initiated. If your practice must initiate the first message in an email conversation, then your system is highly secure. The security key is that no one can randomly email you or your staff if you haven’t sent a secure email to them first. That eliminates phishing and hacking because cybercriminals can’t reach you. Once you have that first email interaction with another doctor, pharmacy, patient, etc., your workflow is the same as any other email.
If you are sending PHI via Google, verify you are using the paid version, Google Workspace Gmail. Even if you have some security steps in place on a non-paid Gmail address, you are most likely neither HIPAA compliant nor protecting your patient’s records. You may want to consider using Gmail, and other similar services, for sending everything that isn’t PHI or sensitive information. Secure and non-secure emails often can be accessed in the same email interface requiring only one login to access all your email accounts.
So, what happens if your email isn’t secure and someone in your office clicks a link? Well, you’ve just left the back door unlocked and let a cybercriminal sneak into your business. Once a cybercriminal gets into your system, usually without detection, they have one goal: wreak havoc to get money. They can lock up your entire records system and hold it for ransom, usually requiring payment in bitcoin. Thousands of attacks are launched every day with good success. It’s a scenario you don’t want to deal with. Fortunately, it’s also preventable.
Teach your staff or bring in an IT managed services provider (MSP) to talk with your office about the best practices to prevent phishing scams. Learn to identify a suspicious email and report it to your IT or MSP team. Most importantly, never click on buttons/links, call the listed phone number or respond to the message, especially with personal information.
Replace your current moderately secure email service with a truly secure, HIPAA-compliant email and you’ll significantly decrease the risk of your data being accessed through email.
Cybersecurity, phishing and ransomware are more than buzzwords. They represent identity theft, credit card and bank account access, and the loss of patient trust. Prevent access. Use secure email. Stay off the radar of those looking to profit off your practice. These simple steps can save you headaches and heartbreaks from having PHI stolen or captured and then paying a high ransom to get your practice up and running again.
FDA Services endorses iCoreExchange HIPAA-compliant email. iCoreExchange not only meets or exceeds every compliance and security requirement, but it also allows you to attach as many large files as you want to any single email. Speed up your workflow, protect patients and your practice. Check out this convenient and compliant service or call 888.810.7706. FDA members receive a substantial discount on iCoreExchange.