Cybersecurity in 2021 is the hot topic across all platforms and businesses. Companies across the globe are at a constant risk of a breach due to backdoors, bad cybersecurity protocols, poor training, and overall lack of awareness and planning.

In the healthcare world, and the ASC world, it is critical to be diligent and detailed with a thorough and continuous plan for training users and stopping bad actors from infiltrating and stealing protected health information (PHI).

What Is Phishing?

One of the easiest ways for a bad actor to get into an environment is via phishing. Phishing is a cybercrime that uses tactics including deceptive emails, websites and text messages to steal confidential personal and corporate information.

Email phishing is a common and easy method for a bad actor to email an end user and attempt to trick them into thinking they are a legitimate source requesting information such as login info, PHI, etc.

Often times these come from what appears to be safe email and safe links. But in reality these are landing pages and deceptive sites created to mimic legitimate links and pages. (in fact, while working on this post I received a phishing attempt from a seemingly legitimate user at a pain center that has since issued a separate email acknowledging the breach and requesting that I delete the phishing email).

How to Identify Phishing

Things to look out for with email phishing include:

  • Unknown senders who send a blank email with an attachment only or known senders who out of the blue send an attachment with very little text or context.
  • Emails from upper management with a generic greeting requesting immediate action on your part. Their email address may look similar but with a slightly modified domain name.
  • Anything that requests you to sign in through an external web link asking for your username and password.

Protecting Yourself from Phishing Attempts

The first step in avoiding becoming a victim of phishing is providing education for end users on what to look out for. Reporting any suspicious emails to your IT team and verifying unknown recipients is a good practice. Your IT team can do their part by implementing basic security policies within their on-premise or Office 365 email environment. Methods such as geographical blocking of locations, allowed and blocked domains and senders, and sender policy framework checking are a few of the policies your IT team can implement to keep out the bad actors.

If possible use more secure methods such as SFTP or a secure site for any moving of PHI versus using email.

It’s never a bad idea to verify ALL senders if something doesn’t look exactly right. If your gut is telling you something doesn’t seem right or is too good to be true, trust your instinct.

If for any reason an end user has fallen victim to a bad actor it is important to reset their password immediately. It’s also a very good idea to implement two factor authentication on email for all users.

No matter the approach in battling this growing issue the best advice for any company is to educate the users, question all suspicious emails, and verify all requests.