Phishing is a cyber threat that has existed since the onset of email but continues to become more sophisticated and challenging to detect. Defined as “a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person” by the Computer Security Resource Center, phishing is a frequent occurrence and tends to increase during times of crisis.
As the tactic evolves and gets smarter, coupled with a worldwide pandemic, it is no surprise the healthcare industry has seen the numbers of attacks significantly grow over the past ten years. Health IT Security reports that “in 2012, according to data from the Department of Health and Human Services, just 4% of breaches involved email. In 2020, that number reached 42%.” These cyberattack attempts can be difficult to spot for some, leading to compromised information, significant downtime at the practice, and potential reputational damage.
Once you’ve been subjected to a cyberattack, it’s often difficult and costly to extricate yourself from the perpetrator’s scheme. IBM’s 2023 Cost of a Data Breach Report found that “the average total cost [of a data breach] for healthcare increased from $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase.” Recovery from successful phishing attempts can contribute mightily to these rising costs.
As costs rise, it becomes essential to educate healthcare staff and patients on how to recognize email phishing attempts that could quickly escalate into crises. Let’s explore the impacts cyberattacks can have on your organization and examine the most effective ways to recognize email phishing attacks so that your practice can avoid exposure.
Spotting suspicious emails
Senders of phishing emails intend to trick recipients into clicking on links and providing sensitive personal and financial information to the attacker. The sender often looks to be legitimate, typically posing as a reputable financial institution, social networking site, or even a trusted contact — such as a co-worker or boss– making it difficult to decipher if the message is authentic or a ruse. The Federal Trade Commission (FTC) has identified the following clues to a phishing attempt. The communication in question may:
- Say [the sender has] noticed some suspicious activity or log-in attempts
- Claim there’s a problem with your account or your payment information
- Say you must confirm some personal information
- Include a fake invoice
- Want you to click on a link to make a payment
- Say you’re eligible to register for a government refund
- Offer a coupon for free stuff
Verifying that email senders are authentic can be difficult, but it is possible. If you look closely, there are often grammatical and spelling errors to be found in these messages, which can be proof of malicious activity or phishing. In addition, company names and trademarks may be misrepresented and shown in different ways than how the reputable organization usually brands itself. The messages usually contain a sense of urgency, using scare tactics or intense language. These are important red flags to notice.
Types of phishing
Phishing attempts can seem harmless, but engaging with them can cause varying levels of damage. From putting protected health information at risk to transmitting sensitive financial information to the wrong recipient, the effects of a phishing attack can reach wide. Malicious emails can be classified into three categories.
- Generic phishing emails don’t have a specific target and are often easier to spot due to their lack of plausibility. These messages often contain spelling errors and poor choices of language.
- Spear-phishing emails often come from senders you will recognize and trust. These messages can be challenging to detect, and if it seems off, question it before taking action. Checking with the person you know, to confirm they sent the email, is an important preventative measure.
- Whaling emails are targeted to leaders within an organization that have significant influence, putting both the recipient and the organization at risk.
These three forms of phishing can lead to identity theft, unauthorized network penetration, and additional outcomes that can be difficult to repair. Whichever form of phishing attack may confront you, knowing how to detect an attempt can minimize exposure.
Ramifications of cyberattacks for organizations
You might wonder what attackers hope to gain from targeting individuals at healthcare practices and larger organizations. According to Imperva, “Phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.” By submitting to a phishing attack, you could open the door to a larger, inherently malicious effort to gain access to your network.
You may also question what happens if you’ve engaged with an email phishing attempt, inadvertently compromising log-in information or financial data. Ramifications for healthcare practices don’t only include unforeseen recovery expenses. Reputational damage can be extensive. Imperva continues, “an organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on the scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.” These losses can drastically impact a practice’s ability to continue serving its patients, but you can avoid these ramifications by paying close attention to the messages you receive.
Enhancing payment security with Rectangle Health’s solutions
Rectangle Health’s digital payment solution Practice Management Bridge® helps your healthcare practice combat cybersecurity threats like phishing by tokenizing patient information to render it unreadable. We are also an official Point-to-Point-Encryption (P2PE) service provider, encrypting data from the initial credit-card swipe through the data transmission process to the final stage of processing for optimal protection. These security measures, along with cloud-based storage, provide comprehensive protection against data breaches and cyber attacks that may occur at your organization. Our software uses standard web protocols with the highest level of security, is digitally signed for easier installation, and works alongside your anti-virus software and firewalls.
Our solution complies with HIPAA, EMV, and PCI requirements. It also offers fraud monitoring for potential cyber threats, address verification for each payer, and full chargeback protection should a payment dispute arise.
Practice Management Bridge interfaces with all existing practice management systems for your convenience. Secure features like patient financing, Text-to-Pay, online payments, and customizable messages create efficiencies and facilitate better patient connections, giving you time back to focus on patient care.
Want to learn more about how Practice Management Bridge can help your organization? Contact Rectangle Health today to schedule a consultation.
- National Institute of Standards and Technology. (n. d.) Computer Security Resource Center. Retrieved 12/7/2021, from https://csrc.nist.gov/glossary/term/phishing
- (2021). 2023 Cost of a Data Breach Report. IBM. Retrieved 12/8/2021, from https://www.ibm.com/reports/data-breach?mhsrc=ibmsearch_a&mhq=cost%20of%20a%20data%20breach
- Federal Trade Commission. (n. d.) How To Recognize and Avoid Phishing Scams. Retrieved 12/8/2021, from https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
- (2021, March 1). The Phishing Problem in Healthcare. Health IT Security. Retrieved 12/8/2021, from https://healthitsecurity.com/news/the-phishing-problem-in-healthcare
- (n. d.). Phishing attacks. Imperva. Retrieved 12/8/2021, from https://www.imperva.com/learn/application-security/phishing-attack-scam/
Related Posts on Security & Compliance
- Can I afford Cyber Insurance? Can I afford to not have Cyber Insurance?
- Are Your Text Messages to Patients Compliant?
- Healthcare payment data security
- Keeping Online Review Responses HIPAA Compliant
- Preparing your practice for an OSHA Inspection/Investigation
- Are your text messages to clients compliant?
- 5 Policies to Protect ePHI