The most important and effective security tools are your medical practice’s staff

The Medical Group Management Association’s most recent MGMA Stat poll asked healthcare leaders, “Do staff receive anti-phishing training?” The majority (76%) responded “yes,” while 24% said “no.”  

The poll was conducted Sept. 22, 2020, with 1,020 applicable responses.

Among respondents at practices with anti-phishing training, annual training (36%) was most common; followed by training at new-hire onboarding (14%); and periodically, randomly or as needed (12%).

Free resource: Maintaining cybersecurity while working remotely

Maintaining cybersecurity while working remotely is crucial for group medical practices. This free resource from MGMA Government Affairs outlines many critical threat areas, including:

• Telehealth
• Ransomware attacks
• Loss of equipment/devices
• Vulnerable network
• Non-compliance with government requirements.

New places where cyber threats live

As Marion Jenkins, PhD, FHIMSS, partner, HealthSpaces, notes in his MGMA Connection feature, “Don’t be a teleworking crash dummy,” more than nine in 10 successful cyberattacks begin with a phishing email.1

“In today’s altered work landscape, new technologies and tools had to be adopted very quickly, with little or no planning or training,” Jenkins writes. “While the kitchen table or home office might seem familiar physical environments, the technical environment may be significantly more prone to attack. With users being outside the normal security perimeter of the practice, the ‘threat footprint’ has significantly increased.”

With isolation, pandemic-related anxiety and sometimes difficult work-from-home arrangements, teleworking medical practice staff may be at heightened risk from perpetrators of cyberattacks and scams.

Disconnect if you suspect an attack. As Jenkins notes, ransomware is designed to replicate itself across the network and corrupt all your data. During an attack, it’s important to limit the spread of the attack. If you suspect your computer might be infected, do not click on more links or open more windows or apps. Just power it down and contact your IT help/support line.

Being forewarned is forearmed

Jenkins recommends that medical practice staff watch for these dozen red flags on inbound emails, social media, screen pop-ups and other communications:

1. COVID-19-related messages. The more sensational or urgent the message, the more suspicious you should be.
2. Financial: PPP, individual banks, taxes or Small Business Administration. Some businesses may have contacted multiple banks regarding PPP; scammers know this and craft emails with subjects such as, “PPP money is still available,” or “You didn’t complete your PPP application.” Knowing that some larger banks have millions of customers, scammers can easily craft a convincing-looking message branded with these banks’ logos, which can be full of traps. 
3. The 2020 Census. Since much of the census is not able to be done in person, online census scams have become more prevalent.
4. Voter registration/virtual voting/political fundraising. This is an election year like no other, making it the perfect time to target unsuspecting and socially isolated individuals who are getting much of their information online and likely voting online or by mail.    
5. New CDC or CMS guidelines, especially those governing medical practices. This is especially devious, since new regulatory guidelines come out nearly every day and practice executives have to understand and follow them. Scammers are counting on this vigilance to work for them.
6. Items relating to business or personal tax deadline extensions. IRS scams have been around for years, but this year’s changes in deadlines and deductions represent new opportunities for scammers.
7. Software updates. That “new update” for Zoom, Microsoft Teams, Google Meet or other service may be nothing more than an attempt by a scammer who knows you are using these new software tools for web meetings. They will use fake update messages to trick you.
8. Add-ons for web meetings. At a minimum, these funny backgrounds, filters or masks might contain annoying adware or send more annoying web pop-ups your way. At the extreme, they may be avenues for harmful malware.
9. Anything related to cybersecurity, hacking, antivirus and the like are common user-bait. Scammers are especially skilled at scaring users in an attempt to make them click on anti-malware links that are themselves malware. (Hint: Look closely, usually there are misspelled words, bad grammar, garish graphics or a plethora of exclamation marks — those are telltale signs of a hoax.)
10. Windows 10 and browser updates. Many practice applications require specific (and sometimes non-standard) browser versions, and there’s been a lot of chatter around the new Edge browser. Scammers know this and hope you will think some quirkiness might be related to a browser issue rather than malware.
11. Emails from human resources or building management saying “someone” has tested positive for COVID-19. A scam message might say that HIPAA privacy rules prevent them from identifying the individual, and ask you to fill out a form detailing your recent movements. Buried in that form is a place for you to include your personal info to be harvested. (Note: The bigger/more top-down the organization is, the easier it is to pull this off.)
12. Snail mail. Digital threats not scary enough? There are others that can arrive in your physical mailbox. For example, there have been recent snail-mail scams involving a postcard from a fake HIPAA officer, directing users to a fake web link.2

MGMA Stat

Would you like to join our polling panel to voice your opinion on important practice management topics? MGMA Stat is a national poll that addresses practice management issues, the impact of new legislation and related topics. Participation is open to all healthcare leaders. Results of other polls and information on how to participate in MGMA Stat are available at: mgma.com/stat.

Additional resources

• MGMA COVID-19 Recovery Center
• “Maintaining Cyber Security while Working Remotely” (Advocacy resource)
• “Practices see rise in cyberattacks during COVID-19 pandemic” (Washington Connection)
• MGMA HIPAA Resource Center — Access resources such as the Cybersecurity Action Steps tool.
• Find more articles like Jenkins’ in the October issue of MGMA Connection magazine.

Notes: 

1. PhishMe. Enterprise Phishing Susceptibility Report. 2016. Available from: bit.ly/3gDZUJO.
2. Dyrda L. “HIPAA-compliance postcards a scam, Office for Civil Rights warns.” Becker’s Health IT. Aug. 11, 2020. Available from: bit.ly/3hEkqLP.