Protect Patient Information: Teaching Healthcare Employees about Phishing Scams

Healthcare facilities and insurance companies have started moving most paper patient records to electronic databases. These digital records are allowing information to move faster and easier between doctors. Yet, electronic files also have a great risk of being hacked. For example, nine million patient health records were breached in 2014 alone. These breaches included patients’ names, birth dates, social security numbers, addresses, phone numbers and employment information.

Hackers try to use a variety of methods to access private information. The attack used most often is called a phishing scam. This method sends an email to thousands of employees with a corrupted link or attachment, and only one employee has to open the email for hackers to gain access to all the data information on private servers. The easiest way to combat these attacks is through employee education, and to help with this, below we’ll go through four ways that hospitals can further protect patient information by helping employees avoid phishing scams.

Training workshops

Ongoing employee workshops can help train staff on what to look for in phishing emails. Training is becoming especially important due to scams becoming more complex, with hackers spending more time to make their websites and logos look authentic. Employees should also be aware of spear-phishing attacks which are a more sophisticated scam. Within these scams, hackers will do extensive research on the intended target. They are able to provide details about the company or employee that makes the email seem more legitimate. After training, facilities should practice by performing phishing attempts against their own staff. This will allow executives to see how staff handle corrupted emails and show who needs additional work recognizing phishing scams.

Create complex passwords

Another way healthcare facilities can prevent hackers from obtaining private information is to write a security policy requiring employees to create complex passwords that include a mix of capital letters, numbers and special characters. Additionally, employees should not be allowed to use the same password for multiple logins. Their passwords should expire every six months to keep information secure. This is important because once a hacker obtains your password, it is easier for them to guess your next password, as shown by a 2010 study where researchers that knew the user’s previous password were able to uncover the next password in fewer than five guesses.

Restrict Internet access

Healthcare facilities should construct a policy on Internet browsing during work hours. At times, careless web browsing can increase the chance of employees falling for a phishing scheme. Another way to keep employees safe from phishing scams is to install a web filter. This filter would deny access to fake websites and blocks downloading files types associated with malware. Examples of these fraudulent websites may include those that don’t use https or begin with an IP address are fraudulent. If employees come across these sites, they should report them to IT staff immediately who can block access to them and keep information protected.

Encrypt sensitive information

While providers can’t prevent employees from falling for every phishing scam, they can still keep sensitive patient information safe. Healthcare facilities can keep private patient information out of hackers hands by using data encryption when the information is stored locally and when it is sent from one device to another. Data encryption will allow only staff with the proper “key” to be able to read the information. Some mobile devices come with encryption software already built-in. If that isn’t the case, additional encryption tools can be installed to keep it more secure. Mobile devices also allow remote disabling and wiping software to be installed. All data can be erased from a device if an employee becomes aware of a phishing scam.

Healthcare phishing scams are not going to end anytime soon. In fact, it’s likely that phishing scams will become more sophisticated as security measures increases. This is why it’s imperative for employees to have updated training on phishing scams. With proper crisis management training, healthcare employees can help stop data breaches that include private patient information by staying educated on preventative measures. Meanwhile, healthcare facilities should continue to improve their online security and encryption processes to stop hackers from obtaining sensitive information.