Oncology & Hematology Coding Alert

Here’s how to avoid going on a phishing expedition.

Healthcare data breaches continue to rise. Breaches of unsecured protected health information (PHI), many from hacking or IT incidents, increased from 247 in 2022 to 543 in 2023, according to data from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach portal (ocrportal.hhs.gov/ocr/breach/breach_report.jsf).

As of Feb. 12, 2024, OCR have recorded a further 65, which currently tracks to a similar total in 2024. So, before your practice becomes another unwelcome statistic, here are 10 great tips take to avoid or mitigate future breaches of cyber security.

1. Remain skeptical: Even if an email was sent to you by a colleague or from an email address that looks like a colleague’s or a business associate of your practice’s, that doesn’t necessarily make it legitimate. Attackers can create fake email addresses that look like the ones you know or even gain access to someone’s email address. Do your due diligence! If there is any hesitation about the legitimacy of the message, you should verify with the supposed sender using an alternate method or new email to make certain it was purposely sent before opening any attachments. Best practice is to use a different method of communication when validating the legitimacy of a message. This will provide confidence as to whether or not an account has been compromised.

2. Stay on top of software updates: Operating systems and software developers release updates regularly when they discover vulnerabilities, security flaws, or any number of other problems. By running these updates as they’re released and vetted by your practice’s IT department, you’ll protect your devices against attackers.

3. Turn off automatic downloads: Your email software settings may have an option to automatically download attachments. If so, disable this feature to protect your computer against possibly dangerous files.

4. Perform frequent backups: If a cyberattack occurs, you’ll be able to get your computer and network back up and running sooner if your practice has backups on hand.

5. Secure legacy systems: If your organization depends on a legacy system to keep things running smoothly, ensure it’s compatible with new software. The chances of a cybersecurity incident are higher with legacy systems, so it’s critical that you manage updates and implement strict authentication protocols.

6. Consider cloud-based email security: For staff working from home, a cloud-based email system can help curtail ransomware woes and secure your data more efficiently as your IT team and vendor have easier access to shut down issues.

7. Employ a phishing test: Time and again, phishing is the culprit that takes systems down with just one click on a link. Phishing tests are important to sidestep these common attacks. “A phishing test is the practice of sending phishing messages to employees, and, if someone clicks on it, they are afforded the opportunity to learn more about phishing,” says Adam Kehler, director of RSP Healthcare Services at Online Business Systems. “This is an extremely effective training method and is relatively inexpensive.” “Do not exempt physicians and executives. They are the biggest target and often the most likely victims,” Kehler says.

8. Use encryption: Your employees may lack the skills to identify a phishing scheme, and that’s where encryption technology comes into play. Email encryption can help your organization authenticate emails with tools to ensure that the email isn’t a phishing attack.

9. Make training ongoing: Your employees are going to get a wealth of HIPAA and IT training when they start at your practice — but that shouldn’t be the end of their data security education. With each new threat — and especially if an incident occurs — you must update and retrain staff, keeping them in the loop and offering tools and guidance.

10. Trust your gut: Don’t open any email or attachment if it seems suspicious. Your computer’s antivirus software could even be fooled into thinking the message is safe. Attackers constantly release new threats before protection software has been updated. If you feel uneasy, trust your gut.

Keep these tips handy to serve as a reminder the next time you receive an unsolicited email with an attachment.