Phishing, Pharming, Vishing and Smishing - Dangerous Communications
Phishing, pharming, vishing and smishing - oh my! Cyber security is a hot topic. Are you and your medical practice prepared for the variety of ways you could be at risk?
Posted in Risk Management on Thursday, March 17, 2016
Your employee policy manual should provide guidance on the protocols for opening emails from unknown senders and for clicking on email links or attachments. Phishing attempts can be preceded by a benign email to lure the reader into believing it is a safe site. Once users are baited, the hacker can then hook the receiver with the phishing email. One medical practice was the victim of phishing when someone clicked on a picture of flowers. It seemed harmless, but it resulted in the hacking of the practice’s computer system.
Has your policy manual addressed the issues of pharming? Pharming is another computer scam where a hacker installs a malicious code on your computer system that redirects all system activities to another website without your consent or knowledge.
Vishing is voice activated criminal activity, similar to phishing; however, this occurs when an individual calls you on the phone and pretends to be someone else with the intent of stealing sensitive information. For example, someone calling may pretend he/she is from your Electronic Medical Record (EMR) software provider and is working on software updates. He/she may sound credible enough to get you to relax your guard.
Smishing uses cell phone text messages in an attempt to access sensitive information. Smishing schemes usually involve a URL or phone number and state your immediate attention is required.
What can you do to protect your practice?
- Make sure your system and communication devices are encrypted for data both in transit and at rest
- Make sure your practice’s policy manual addresses cyber-activity schemes for each mode of communication you use
- Include protocols of what to do when questionable communications are received
- Review the policy annually with a mandatory sign off for employees confirming the date of review
- Provide annual cyber-safety training so everyone is aware of current hacking schemes
- Create an incident response plan so if your data is breached protocols are in place to minimize the damage
- Keep software updated and apply security patches when prompted
- Comply with HIPAA and HITECH requirements as well as pertinent federal or state laws
- Use Business Associate Agreements when outsourcing services
At PSIC, we believe cyber-security is an important aspect of your practice which is why network security and privacy proceedings coverage is endorsed to our physician professional liability coverage.