The most recent OCR information newsletter provided guidance on phishing and how to protect against it.

Phishing is a specific type of cyberattack where the attacker will send an email or text that seems legitimate, but it asks for confidential information such as usernames and passwords for nefarious means.  This type of email usually tells the employee that his or her password has expired, and then it includes a link for the employee to update the information.  However, this link is not legitimate and captures the username and password.  With a username and password, an attacker can access accounts such as email or potentially EHRs.

Another type of phishing comes in the form of an email that contains an attachment with malicious software.  When opened, the malicious software may capture information, also called key-logging, and report back to the attacker with the victim being none the wiser.

Finally, the last form of phishing email incorporates ransomware. The attacker’s malicious software encrypts the computer files and notifies the victim that he or she must pay a ransom to gain access once again.  To learn more about that, view our previous post on cyber extortion.

The OCR newsletter also provided ways to remain vigilant and help protect against phishing attacks.  Some of those methods include:

  1. Watch for unsolicited messages from third parties. If anything seems suspicious, contact the person who sent it to ensure it is a legitimate message and attachment.
  2. Look at the web addresses that are given in emails. If the web address looks incorrect, don’t click it.  Many attackers will spoof a web address by making minor changes that aren’t easily noticeable.
  3. Be careful to only download attachments that you feel are legitimate.
  4. Use multi-factor authentication for all accounts. This reduces the likelihood that an attacker can access an account with just the username and password.
  5. Ensure anti-virus and anti-malware software is up-to-date. This can help prevent infection from malicious software.
  6. Remember the HIPAA requirement to maintain current backups. It’s a requirement for a reason.  This can help you negate that ransomware threat if you are able to access your backups.

To learn what else you can do to protect your patients’ information and your organization, sign up with HIPAAgps today.