As more and more physicians and hospitals transition into the digital age, a vast amount of personal health data is ‘bait’ in the internet phishing world. While EHR system security is often a top priority, there is little secure hosting and encrypting of health information can do to stop email phishing scams.

It’s as simple as this:

  1. A faculty physician at a large university health system receives an e-mail appearing to be from the hospital’s information technology staff.
  2. The e-mail requests the doctor’s login information in order to perform routine security upgrades to the system.
  3. This seems like a legitimate request from a reliable source; the physician replys back providing his/her login and password.

By providing this information the physician unknowingly allowed an internet scammer access to the health information of more than 600 patients.  What will stop this from happening? Unfortunately, it will be up to physicians and those who have access to digitized patient information to be aware of such scams. They must utilize their end-user smarts and sound judgment when prompted via email to provide login and account/system access information.

Interestingly, this type of scam is called “spearphishing” because it is has a targeted end-user in mind and the scammer uses a fictitious email that actually appears to be from a familiar and reliable source. This email may instruct the recipient to do two things:

First, the scammer can request a reply containing information such as credentials, login information or account information. Then, the hacker can gain access to files, accounts or records.

Second, the email may provide a link to a website that may seem real, but clicking on the link actually puts a virus on the computer. Clicking the link could also download software that provides the hacker with remote access the computer or network.

Tips to identify spearphishing:

  1. Emails should appear from a company with which a physician or EHR system user has frequent communication.
  2. Look at the email URL; make sure it reflects the company name correctly.
  3. Unless one is 100% certain the source is reliable, he/she should NEVER click on a link provided in an email without checking with the source of the email and/or the IT department first.
  4. If an email is requesting a reply containing personal information, call to verify with the source before sending this information.
  5. Be careful about downloading attachments from an email. As stated previously, the source of the email and attachment should be verified before it is downloaded.

Unfortunately, patients may also be bait for spearphishers. If a hacker is able to access patient information from a hospital or health system’s EHR system, he/she may obtain patient contact information, and could continue his/her spearphishing scam by emailing or calling patients and requesting more personal information. It is recommended that physicians, patients, and medical staff heighten their end-user smarts, and be aware of such phishing attacks. Being aware of such scams helps physicians and medical facilities take all of the precautions necessary to help ensure safety and security of digitized health information.

For the original article, please visit American Medical News