As the healthcare industry continues to be a target for cybercriminals, InstaMed Security Officer Noah Dermer authored a piece for the HBMA publication RCM Advisor where he shares best practices that billing services can implement to protect sensitive data from phishing scams.
Read the full article, Has Your Data Gone Phishing?, in RCM Advisor. Below is an excerpt from the article.
There are a few best practices to protect yourself and your billing services against hacking attacks. Here’s how you can make sure you’re operating with a complete tackle box.
As spring takes hold and summer approaches, fishing trips are a popular pastime and all anyone can talk about in my part of the country. I am not, however, a fisherman and don’t know much about the sport, but I don’t let that hold me back! I still find ways to contribute by interjecting a few jokes about phishing and spear phishing that usually reel in the laughs.
- What are hackers doing when they target billing services? Phishing docs.
- What’s another name for a hacker that uses phishing to trick email recipients? A prawn artist.
- What do you call a phishing attempt that uses a funny video link to get you to click? A clown phish.
I’ll cap it at three phishing jokes for this article. No need to go overboard. The truth is, phishing is no laughing matter. An estimated 91 percent of hacking attacks begin with a phishing or spear phishing email, so healthcare organizations should be very serious about tackling this threat head-on — no pun intended. One of the best ways to protect against phishing emails is to educate your staff and provider clients about these kinds of attacks. First, let’s define phishing and spear phishing.
If a recipient of a phishing email opens a malicious attachment or clicks on a link, he or she might download a program that installs malware onto the system, compromising the entire system and exposing sensitive data to theft. In other scenarios, a phishing email might lure a victim to a website that appears legitimate and tricks the user into disclosing private information like a username and password or bank information. It’s easy to be deceived by a phishing scam. Ninety-seven percent of people globally can’t correctly identify a sophisticated phishing email (Intel). Often, phishing emails are disguised to look like they came from an IT resource or someone within your organization. There are also millions of phishing emails—about 156 million—sent daily. Of those 156 million, about 16 million get through spam filters to your inbox and 8 million of those are opened. What’s the risk? According to research from the Ponemon Institute, phishing costs an average 10,000-person company almost $4 million USD annually.
There are a few best practices to protect yourself and your billing services against these attacks. Here’s how you can make sure you’re operating with a complete tackle box:
- Educate Staff So They Don’t Fall for the Bait
- JP Morgan performed a test to see how many employees would open and click a fake phishing email. They found that 20 percent of their staff fell for the bait. Make sure you are consistently educating everyone in your organization about phishing scams. While some may be easy to detect such as a foreign prince offering to give you an inheritance, more sophisticated scams, such as a request from a coworker for your password, are harder to spot. Train staff to be on the lookout for anything that seems fishy; even the best-engineered scams often contain a giveaway.
- Use the Best Gear, and Keep It Updated
- There are many tools available to help organizations monitor emails and filter out phishing scams. Look into options like intrusion detection systems (IDS), intrusion prevention systems (IPS), and host intrusion prevention systems (HIPS), which can detect and prevent malicious activity. You should also make sure every device is equipped with anti-malware/anti-virus software and inform staff that they should always install new updates for this software to ensure the highest level of virus protection.
- Keep Sensitive Data off Your Network So There Aren’t Any Fish to Phish
- The best way to protect sensitive data from phishing scams is to limit the amount of data that lives on your network. Healthcare organizations can leverage technologies that protect data stored or transferred on their networks. For example, tokenization converts data into a token that is associated with your organization. This unique association prevents someone from using the stolen token for anything other than the intended purpose. To keep with the fishing analogies, you could compare a token to the keys to a fishing boat. If someone steals your boat keys, they can’t then stick them into the ignition of another boat and drive away; the keys only work with your boat.
While phishing scams are frequent and becoming more sophisticated, following these best practices will help protect your organization and keep you from falling for the bait hook, line, and sinker.