Do you feel you’re hearing a lot about ransomware, phishing, and hacking these days? You’re not imagining the increase—these buzzwords are everywhere: news media, compliance reports, technology and trade journals; the list goes on. But they represent more than just the latest media buzz. They’re real threats. Cybercrimes remain a problem for dental and medical professionals with little sign of going away anytime soon.
The primary ways your practice can be compromised are through your IT infrastructure and email. The weakest link in the vulnerability chain is people.
Cybercriminals have gotten quite effective at using malicious email to gain access to Protected Health Information (PHI) and other personal information through what’s called “phishing.” They will send email posing as coming from a trusted source (like a bank, online payment site, or even a social networking site) designed to get you to click a link, call a number or respond with personal information. Every day, criminals steal everything from patient and insurance records to passwords, social security numbers, credit card information and account numbers.
Your staff needs to know how to spot phishing; and what to do and what not to do when they do come across it. The Federal Trade Commission’s Consumer Division explains phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment.
These emails may:
- Say they’ve noticed some suspicious activity or login attempts.
- Claim there’s a problem with your account or your payment information.
- Say you must confirm some personal information.
- Include a fake invoice.
- Want you to click on a link to make a payment.
- Say you’re eligible to register for a government refund.
- Offer a coupon for free stuff.
What happens if someone in your office clicks a link (and your email isn’t secure)?
Well, you’ve just left the back door unlocked and let a cybercriminal sneak into your business. Once a cybercriminal gets into your system, usually without detection, they have one goal: wreak havoc to get money. They can lock up your entire records system and hold it for ransom, usually requiring payment in Bitcoin. Every day, thousands of attacks are launched with much success. It’s a scenario you don’t want to deal with; and fortunately is preventable.
How to Keep Email Safe
Use a HIPAA-compliant email service.
As a dental health provider, confirm every email with any connection to PHI, payments, passwords, or other sensitive information, is being sent through a secure, HIPAA-compliant email service.
- Check to make sure your secure email service uses its own private network to transmit messages, not the public internet.
- You’ll also know if your email is fully secure and compliant based on the way email communication is initiated. If your practice must initiate the first message in an email conversation, then your system is highly secure. I.e., no one can randomly email you or your staff if you didn’t send a secure email to them first. And since cybercriminals can’t reach you, phishing and hacking would not be possible. Once you have that first email interaction with another doctor, pharmacy, patient, etc., your workflow is the same as it would be with any other email.
- If you’re sending PHI via Google, verify you’re using the paid version, Google Workspace Gmail. Even then, bring in compliance experts to verify that your system meets every federal standard for compliance when sharing PHI electronically.
If you’re using regular Gmail with any modifications, you are most likely gambling with the security and compliance of transmitting PHI. You may want to consider using Gmail and other similar services for sending everything that isn’t PHI or sensitive information. Secure and non-secure emails can often be accessed in the same email interface, which means only one login would be necessary to access all your email accounts.
Educate your staff.
Teach your staff—or bring in an IT Managed Services Provider (MSP) to talk with your office—about the best practices to prevent phishing scams.
- Learn to identify a suspicious email and report it to your IT or MSP team. (See the “red flags” section.)
- Most important, never click on buttons/links, call the listed phone number, or respond to the message, especially with personal information.
- If you have a moderately-secure email service, replace it with a truly secure, HIPAA-compliant email service, and you’ll significantly decrease the risk of your data being accessed through email.
Following the simple advice in this article can save you headaches and heartbreaks from having PHI stolen or captured and paying a high ransom to get your practice running again.