Motivated by the high demand for health information on the black market, bad actors want access to networks and information systems of healthcare organizations. These bad actors have time, resources, and know-how to gain access to the valuable health information on individuals which organizations have.
For yourself, your family and the sake of your business or employer, you should be concerned about the privacy and security of personal health data. Medical identify theft through phishing is becoming increasingly common, with the worth of personal medical data 50 times greater on the black market than the worth of credit card data, says Dr. Marlowe Schaeffer-Polk, CEO of DoctorsDoDigital.
Experts say nearly half of all companies and consumers have experienced security breaches or hacks in the past year. According to the Identity Theft Resource Center, 42.5 percent of the security breaches identified in 2014 took place within the medical industry. The 6th Annual HIMSS Security Survey found that 19 percent of respondents reported a security breach during the past year.
Phishers use sophisticated tactics
A physician and an attorney, Dr. Schaeffer-Polk defines phishing as electronic communication intended to acquire sensitive, personal information by masquerading as a trusted entity or brand name. Phishers are becoming increasingly sophisticated, pirating logos and the use of familiar website graphics to make their messages look credible.
Dr. Schaeffer-Polk says phishers use social engineering techniques as a basis for their deviousness – most commonly the hardwired human impulses of “fear” and “fame.”
Fear plays into the insecurity that you may lose something if you don’t act, she explains. Phishers use language such as “you better act now, or you will lose your account” if your social security number or password is not provided. There’s urgency involved.
Fame massages our ego and manipulates our sense of importance, Dr. Schaeffer-Polk says. A common tactic is a flattering letter from a celebrity that promises an honor or prize if you provide personal information.
Other common techniques and phrases used by phishers:
- “Verify your account.”
- Requests for your social security number.
- A tight deadline, such as “within the next 48 hours.”
- Dear “Valued Customer,” rather than using your name.
- Requests to click a link. It’s good practice to run your cursor over the link before clicking it to see if the url matches the message sender.
- Requests to open an attachment.
- The use of broken English.
- Dates communicated as date/month/year rather than month/date/year.
- Promises of free or discounted goods or services.
- Subtle disguises such as a link to “Micosoft” rather than “Microsoft.”
Don’t communicate personal information via email, text or social messages
No matter the message, never provide personal information via email. This information includes your social security number, medical or health insurance identification numbers, and references to any medical conditions you have.
If you fall victim to a phisher’s trick, your network will be intruded by malware. There’s usually a long period of time between the intrusion and the realization that your network as been invaded – an average of more than 200 days, Dr. Schaeffer-Polk says.
From a privacy and security standpoint, the weakest link in the line of defense is the end user, she explains. Tests performed among organizational employees to see if they can spot phishing emails and other messages have had failure rates as high as 80 percent. For this reason, organizations need to step up educational efforts to inform their employees of the danger. Privacy and security is no longer just an IT problem.
The danger extends from email to text, instant and social messages. It’s very important to consider Twitter, Facebook, LinkedIn and other social networks as public networks.
You may be a target
Phishing attacks are not necessarily random. You may be personally targeted because of your position, your organization, who you know, what you know, or what you have access to (or what you can find out).
So, when you receive an interesting, yet suspicious email or social message, stop and think. Is this for real? The best move may be to hit delete. Don’t fall into the phish tank.
To learn more:
- Listen to this HIMSS podcast: Episode #33: Data Phishing on the Rise.
- See this guide to privacy and security awareness initiatives from HIMSS and the National Cyber Security Alliance.
- See the HIMSS Privacy and Security webpage for toolkits, news and involvement opportunities.