Today's guest post was submitted by Dr. Dewan Farhana, a tech entrepreneur that blogs at Doctor Finances about health care technology and financial literacy. We have no financial relationship.]
In a world where almost everything we do is online, including all of our banking and asset management, online security is of the utmost importance for every individual and business. Most of us have been taught to avoid thieves physically, enter our homes carefully, and secure our cars, but cybersecurity is new to almost everyone. We haven’t been taught to be vigilant about the invisible threats lurking online. In fact, most of us are walking around with our “pants down” when it comes to online security.
In addition, after the COVID-19 pandemic hit, many medical professionals suddenly had to embrace online systems and processes in order to survive, increasing the exposure to cyberattacks across the board, since an attack on one provider can spill over to others as multiple providers can often be linked to one patient and their sensitive information. While we have all heard of cyberattacks on organizations, the average person didn’t need to worry about it quite as much. However, it is now extremely important to make sure you have the proper online protections in place to protect your wealth and your information—whether that is your bank accounts, your identity, or the sensitive information held by your medical practice or hospital.
Although cyber hacks are happening to people personally and across all industries, here are some startling statistics from 2019 to further illustrate the importance of online security for medical professionals. For example, since 2016, 93% percent of healthcare organizations have experienced a cyberattack, and four out of five breaches in the health care sector are against providers. This makes sense, since hackers have direct access to patients’ sensitive information and they get a two-for-one deal: both provider’s information and their patients’ as well. Since 2015, the personal medical record information of more than 300 million (yes, that’s million) people has been stolen.
Why are Medical Professionals More Susceptible to Cyberattacks?
High-Income Targets
Medical professionals are known to have higher incomes, and hackers can profit greatly from cyberattacks. One tactic they use specifically against the medical profession is to hold information hostage. Imagine losing all access to your files unless you fork over a ransom for your data. Entire cities and companies have been held hostage in this way.
Access to Sensitive Information
As I mentioned above, medical professionals have social security numbers, insurance information, payment information, addresses, phone numbers, ages, etc. on file, so hackers can find a literal goldmine of information to exploit in one place. This can lead to bank fraud, identity theft, and even ransom based on the threat of exposure of private medical information.
Online Presence
Since an online presence is a huge benefit for patients and for providers when seeking new patients in the form of websites, preferred provider information on insurance websites, online medical profession organization information, online booking, telemedicine, etc., hackers have a higher chance to know where to attack, and can easily search those locations to target medical professionals.
12 Ways to Protect Yourself From Cyberattacks
While potential cyberattacks are real, there are ways medical professionals can protect themselves, their assets, and their patients.
#1 Be Aware and Hypervigilant of the Lifestyle Data You Share Online
“Social engineering” is the major threat to your security in the long run, and much of a person’s data can easily be plucked from social media, including the social media profiles of family members and also those who work in the same office. Hackers get to your information through “social engineering”, which means they mine the data in your social accounts (including professional accounts like LinkedIn) and look for information that can be used to breach weak points, such as simple passwords or easy password-reset questions. Practice vigilance, and select security questions and passwords that are actually hard to answer or guess even by your closest confidantes.
#2 Use Intricate Computer-Generated Passwords to Protect Your Information
Use apps like LastPass, 1Password, or Bitwarden, and make sure your master password is as strong as possible and changed frequently. Do not write down your master password anywhere—it’s literally the keys to the kingdom. These apps work on every device, and make it trivially easy to never use the same password twice. Remember: your password can be stolen from a badly designed 3rd party website, not just guessed by trying all the combinations. If you keep password information in a file on your computer, or somewhere that’s easy to find and/or be hacked (like Google Docs), cyberattackers can access all your accounts—both professional and personal.
What of the password managers themselves? Good ones use encryption across the entire chain of data ownership to ensure that, even if their own servers are hacked, the data gathered by the attackers is useless. You can learn more here.
#3 Make Sure Your Software Is Up-to-Date
Operating with old, outdated software will give you gaping security holes, so make sure that not only your office computers but your personal computers and phones are continually up-to-date as well. The first thing to update is your operating system (Windows, MacOS, iOS or Android, for example). Install reputable security software that scans your devices for viruses and prevents bad programs from running on all your devices to help thwart “drive-by” attacks. Check with your ISP for a free copy!
#4 Click Carefully
If an email asks you to do something security-related, do not click the link in the email (even if you are sure). Instead, go to the website directly and enter the information. The exception is email confirmation emails, some of which are very hard to hand-type. However, look at the link very carefully for errors or typos. Once you have clicked to confirm, immediately close that web page, even if you would like to log in or use the service right then. Type in the address manually in a new tab or window.
#5 Never Wire Money
A bank wire is like a cashier’s check—once it’s out of your hands, it’s as good as cash. Few vendors will ask for a wire (with perhaps the exception of mortgages and remote car purchases). However, most of these now allow you to enter your bank information on their site instead. For personal transactions, use Venmo, PayPal, or one of the other services to send money much more rapidly and securely.
#6 Apps Are Great But Be Very Careful
Whether it’s an app for your phone or your computer, installing an app is the same as letting a stranger into your digital home. Make sure the app is from a reputable vendor. For apps that come from third parties, go to their websites and click through from there for an additional layer of security. As to searching the app store, scrutinize the name to make sure there is not a copycat with a similar name trying to trick you.
#7 Do Not Give Personal Information Over the Phone or Randomly In-Person
This one may seem obvious but in the midst of our busy days, we can forget to verify the caller especially if they are saying the “right words” so it’s important to always double-check or call back before sharing any personal information. Remember that no institution that has access to privileged data will ask for that information over the phone. If you must, tell them you will call back, then look up the number separately on the Internet and call back that public number.
#8 Continue Using a Paper Shredder
It’s important to shred any sensitive information as snoopers are everywhere looking for weaknesses. At the least, it’s easy for someone to apply for credit on your behalf. A good shredder can cost $30 and save you thousands in time and effort.
#9 Protect Your Payment Cards
Credit card fraud is becoming more commonplace as hackers get smarter. So, make sure to take the following steps to protect your credit card accounts, both personal and professional:
- Set alerts on all your accounts so you’re contacted when charges are made.
- Install the apps for your credit cards and bank, and set them to notify you whenever a payment is made.
- Look through credit card activity regularly—this can also let you track down sneaky services that increase in cost silently, like your cable bill!
- Be aware of skimming devices where you use your credit cards and especially debit cards. Make sure the keypad and card reader covers for debit cards are strongly attached with a sharp tug, and cover the keypad when entering your PIN.
- Generally, avoid the use of debit cards unless you must. Your rights with regards to theft from a debit transaction are quite limited.
- Make sure your cards have chips. Especially in the age of COVID, use Apple/Google/Samsung Pay to make contactless and secure payments where possible.
- Destroy all receipts or scan and file them electronically in password-protected folders. Also be sure to destroy old cards, licenses, and other paperwork.
- If you travel internationally, call and let your credit card company know in advance, or simply use their websites or apps.
#10 Freeze Your Credit
If you will not be accessing your credit soon to refinance, purchase a new home or apply for a loan/lease/credit card, freeze all of your credit reports (including all family members) to avoid hackers from opening new accounts under your name.
#11 Inform and Assist Your Employees and Coworkers
Security works in layers. If you want your practice or workplace to be secure, make sure that everyone is on board on the importance of security. Help them protect themselves, which will help them protect you. Big breaches often happen because the lowest member in the totem pole with access makes a mistake.
#12 Help an Older Parent or Grandparent Protect Their Information
Older people are quite vulnerable to hackers, and, if time-permitted, it’s a good idea to help an older family member who is not tech-savvy also protect their accounts.
Online security can be one more tedious thing to add to your list, but it’s crucial that you protect your personal and professional life from cyberattacks as it can happen to anyone, especially in the medical profession. In today’s online-intensive world, online security is a must-have and a must-do, perhaps even more than setting up a home security system, as most of our valuable assets are online now! So take the steps now to keep you and your assets, especially your most valuable professional ones—your patients and their information—as secure as possible. You’ll save yourself a tremendous amount of frustration, wasted time, and lost money—and often those can be the least of your losses.
Which of these tips for protecting your online security have made a difference for you and your practice? What else have you done? Comment below!
LastPass has been a lifesaver for me since I started using it a few years back. Totally worth the costs. Stores the hundreds of passwords you need nowadays for work/home/business/etc. Creates random passwords of whatever complexity you’d like to use for your accounts. Obviously the security is really dependant upon your ‘master’ password, but I just created a completely random string of letters/numbers and memorized it, and it’s really the only password I need to remember now.
I’m sure other programs are the same, but some sort of secure password storage is great. Granted if the company itself was hacked…ohhhh boy.
If only it could be used at the hospital….
You can have it on your phone at the hospital and reference it when needed, so it sort of can!
Yea but who wants to type in a 30 digit passcode 27 times a shift?
There are many of them:
RoboForm
Dashlane
1Password
Enpass
Bitwarden
#5- Never Wire Money
The private Real Estate Funds I’ve invested with all require a wire. Including CityVest which Jim has an connection with.
I’m thinking wire is probably okay with these funds in addition to the ones mentioned above? I don’t think you can invest with them otherwise.
No current connection with CityVest, but they’ve advertised with us before.
But no, I wouldn’t necessarily agree with a general/no exceptions rule to never wiring money. Most of us have wired a down payment to buy a home for instance. I’ve found that wires are far more common above $25-100K and ACH transfers are more common below those amounts. I’ve done both for real estate deals. Most of them will take a check if you really make a stink about it.
Best practice with wires is to call and confirm the instructions you receive by email. I know of at least one real estate investor who had someone hack her email, impersonate the real estate company by email and change the wiring instructions, and she actually ended up wiring $25K to the fraudster and lost it. Vanguard actually REQUIRES you to do confirm by phone or in person the wiring instructions before they’ll let you wire money out. Which is really annoying to find out after waiting on the phone for a while to send the wire and going through most of the process. But in the end I guess I appreciate the extra security.
Good to know. Thanks Jim.
I think I’ll adopt your practice of calling to confirm wire instructions before sending it; instead of relying solely on the email.
I would be wary of receiving wiring instructions by email – ever. This is really insecure. Imo, better to get it by phone or even snail mail or FedEx, maybe a secure site. For some real estate transactions, the title/escrow companies require the parties to come in-person to pick up the wiring instructions. This isn’t possible for long distance transactions, but they could be FedEx’ed. Why won’t syndications accept ACH? What measures do syndications have to provide wiring to instructions securely?
I guess you could get them mailed, but I’ve generally got them by phone.
Great article. I use a password manager. But I would suggest going a step further, and enabling 2-factor authentication, ideally not SMS based. I use an authenticator app, and if supported, Yubikey. Since many vendors do use SMS based 2FA, I suggest enabling with your carrier security features to stop porting out your number.
This advice is a must. 2FA should be used everywhere it’s available. This is most important to use with your email, financial sites and your password manager.
Another big risk mitigation step is to “Plant your digital flag”. It’s relatively easy to register for online access for already established accounts at banks…just a few static identifiers and KBA questions. Same goes for government agencies like IRS and Social Security. Claim your account before someone else does.
Krebs on Security has articles cover most of these topics individually in far greater detail.
I’m always amazed that medical providers are still asking for social security numbers of patients. I haven’t given that to a provider for years, and seeing your 300 million number makes me glad of that. Perhaps my medical information has been hacked from somewhere, but at least it won’t also include my SSN. I always laugh a little when the receptionist tells me they don’t share my SSN with anyone. I think to myself “not intentionally, at least.”
What’s your take on paying for identity protection services like Identity Guard?
They’re not very expensive so worst case scenario you’re wasting a little money. I’m not sure how I feel about them yet to be honest. I am a fan of something like LastPass though.