Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Cyberextortion – Is Your Patient’s Health Information Protected?

Posted on May 19, 2017 by Jean Eaton in Blog

Alice had a few minutes before the clinic opened and the first patients arrived. She logged onto the computer and then her personal email through a webmail connection. She checked through her messages and opened an email from a supplier. She followed a link to a website looking for a deal on office supplies and was shocked to find pornographic images!

Alice closed the browser and closed her email.

Then she saw the message on the clinic's computer screen, “This operating system has been locked for security reasons. You have browsed illicit material and must pay a fine.”

Alice could not access any of the files on the computer, not even the clinic's electronic medical record (EMR).

Is data the new hostage?

Cyberextortion is a crime involving an attack or threat of attack followed by a demand for money to avert or stop the attack. Cybercriminals have developed ransomware which encrypts the victim's data.¹

A healthcare business has many types of data on the computer network – patient health information, employee personnel records, fee for service billing, accounting and tax information. That information is important to you – and makes it a valuable target for cybercriminals.

The motive for ransomware attacks is monetary, and unlike other types of security exploits, the victim is usually notified that an attack has occurred and is given instructions for how to recover data. Payment for recovery instructions is often demanded in virtual currency (bitcoin) to protect the criminal's identity. (see WhatIs.com for more information)

 

 

How_They_Get_Your_Data_Phishing

 

Here's what you should be doing now to prevent cyberextortion on your computer network.

  1. Know where all your data is kept – your active patient records, archived patient records, billing records, etc. Remember to reclaim data that you may have left behind with previous vendors – transcriptionist, billing agents, remote data, retired EMR vendors, etc.
  2. Collect only the information that you need; not information that might be nice to know or that you might have a use for in the future.
  3. Install or update endpoint security solutions anti-malware and anti-virus software.
  4. Backup your data with secure encryption. Make sure that you have the encryption key and that you know how to use it. Test restore the backup and test the encryption key, too.
  5. Keep your backup separate from your computer network. You might store your backup on encrypted external drives or remote backup. But don't keep your backup device connected to your computer. If you are attacked by ransomware, the backup device can be locked. too.
  6. Is your current back-up device secure? Your backup should be maintained in an area with appropriate physical safeguards – for example, in a locked, secure, filing drawer, safe or data centre in a location separate from the computer network.
  7. Learn how to recognize phishing attacks so that you can prevent cyber attacks, too.

 

Collect_Only_What_You_Need_Cyberextortion

Risk can be mitigated through use of appropriate safeguards that will lessen the likelihood or consequences of the risk. Layers of safeguards – administrative, technical, physical – will help to prevent privacy and security breaches. When both the likelihood of the risk and the risk of harm is high, the more layers of safeguards should be considered to mitigate the risk.

Risk mitigation assessment is part of a privacy impact assessment (PIA). (What is a PIA?)

Review your current security policies and software with your technical support. If you have a small business and don't have in-house technical support, outsource a security review. Update your risk assessment. [clickToTweet tweet=”Don't become a victim of cyberextortion. #PrivacyAwarwe” quote=”Don't become a victim of cyberextortion.”]

 

Have you seen this?

The Office of the Information and Privacy Commissioner (OIPC) of Alberta has released an ‘Advisory for Ransomware'. You can learn more about preventative measures and ransomware response here.

10 Fundamental Cybersecurity Lessons for Beginners, by Jonathan Crowe, Nov 11 2015 to help you get started on improving your security.

See getcybersafe.ca for more information on common internet threats and on how cyber attacks affect businesses.

References 

Search Security Tech Target. cyberextortion definition

 

cyberextortion, health care, healthcare, phishing, Practical Privacy Coach, privacy, ransomware, Safeguards, security

How to Prevent Phishing Attacks

Posted on January 27, 2017 by Jean Eaton in Blog

“Hello Dear sir/madam, I have received large sum of money to be transferred to your bank account.Please to email me right away with your account information. Many thanks.”

Ever get one of these emails? We're pretty good at recognizing this kind of scam, but cyber criminals are very clever to find new ways to hijack our personal data.

These kinds of attacks are called “social engineering attacks” and they include “phishing”, “spear phishing”, “pharming” and “vishing“. These attacks exploit human tendencies of wanting to be helpful to people in need, trusting those with some form of authority, or even just being curious or greedy.

By claiming to be a system administrator who needs your password to fix your account, or your credit card company needing to verify your credit card number and expiration date, or someone from far away who will give you millions of dollars as soon as you send him some money first….these are all ways to gain unauthorized access to systems or information in order to commit fraud or identity theft.

It only takes one click!

A phishing scam usually involves an e-mail that encourages a user to click on a link, which could then expose the user’s computer to malicious software. The software can then open the doors to unauthorized disclosure of information, loss of information and/or denial of network service.

We have also seen an increase in the number of ransomware attacks where the attacker, once inside the victim’s system, changes the passwords or encrypts the data from the authorized users’ files. The attacker then demands that the owner pay them to return access to the information.

Last year, the Canadian Revenue Agency was forced to delay the tax-filing deadline because its network was exposed to the Heartbleed bug, which essentially allows unauthorized people to access supposedly protected Internet traffic. A computer-science student in London, Ont., is facing several charges for exploiting the vulnerability created by the bug to access sensitive information.  (The Globe and Mail May 14, 2015.)

Don't get caught on the phish-hook! 

There are many creative ‘cyber bad guys' who love to trick you into providing your personal information. You need to educate yourself about the kind of scams out there, and take heed to prevent a cyber attack.

[clickToTweet tweet=”Employees are widely considered to be the weakest link in security infrastructure. Be #PrivacyAware” quote=”Employees are still widely considered to be the weakest link in any security infrastructure, so it’s no surprise that phishing remains so popular and effective. “]

The fact is, good phishing email looks just like regular messages from people we know and care about, and to make matters worse, it can also be difficult to detect.

When it comes to phishing, prevention is the best defense. Investing in employee education and training now can save you a great deal of time and effort further down the line.

How Do You Avoid Being a Victim?

Tip – Be secure, be suspicious, be up-to-date.

Instructions

Digital chores

Click the image to download the pdf

  • Learn more about phishing – The Office of the Privacy Commissioner of Canada has a Top 10 tips to protect your inbox, computer and mobile device.
  • Educate yourself – and your staff and family– about cyber security awareness. Use the ‘The Realist’s Guide to Cybersecurity Awareness’ from Barkly to help you with ideas on how you can create a privacy and security awareness program.
  • Print the poster 5 Ways to Help Employees be Privacy Aware.
  • Use the Family Digital Chores Checklist from ESET-NCSA to remind you to conduct routine digital maintenance at home and at work.
  • Be suspicious of emails from financial institutions or other organizations hat ask you to provide personal information online. Reputable firms never ask for information in this manner.
  • Look closely for clues to fraudulent emails like a lack of personal greetings and spelling or grammatical mistakes.
  • Verify a phone number before calling it – if someone left you a message or sent an email claiming to be from your financial institution, make sure you check that the number is the one printed on the credit card or your bank statement.

 

DPD Champ badge

Celebrate Data Privacy Day with Information Managers!

 

[clickToTweet tweet=”Practical #Privacy tips, tools, and resources! Get it before it's gone. #PrivacyAware” quote=”Concerned about your privacy online? The FREE Data Privacy Day E-course makes it easy for you to enjoy the benefits of the internet while protecting your privacy.”]
It's easy, fun and filled with practical tips, tools, and resources!

Click here: Get it before it's gone.

Follow Data Privacy Day around the world using Twitter and #PrivacyAware.

#PrivacyAware, Data Privacy Day, email phishing, phishing, Practical Privacy Coach, prevent phishing attacks, privacy awareness, security

Who Can Authorize Payments in Your Healthcare Practice?

Posted on November 18, 2015 by Jean Eaton in Blog

Can your boss send the bookkeeper or clinic manager an email to authorize payment?

You might want to re-think that.

Read this CBC investigation report, “Ransomware, bogus emails from your ‘boss' mark growing skill of cyber-criminals” to understand the risk to small businesses from targeted phishing attacks.

There are many creative ‘cyber bad guys’ who love to trick you into providing your personal information or use social engineering to trick you to take action – like making a payment to ‘Mr. Smith'. It is essential to train your employees to help them identify an attack and prevent phishing attacks and prevent a privacy breach. If you are breached, learn how to spot and report it.

Set up clear policies in your healthcare practice about authorizing payments to legitimate vendors. Consider having one person responsible to create the cheque and another person to sign the cheque. Don't rely on email to authorize payments, especially to new accounts.

Related Posts:

Is Your Patient’s Health Information Protected from Cyberextortion?
Email Phishing

cyberextortion, healthcare procedures, phishing, security

Phishing Tales

Posted on January 26, 2015 by Jean Eaton in Blog

“Hello Dear sir/madam, I have received large sum of money to be transferred to your bank account.  Please to email me right away with your account information. Many thanks.”

 

Ever get one of these emails? We're pretty good at recognizing this kind of scam, but cyber criminals are getting very clever at devising ways to hijack our personal data.

These kinds of attacks are called “social engineering attacks” and they include “phishing“, “spear phishing“, “pharming” and “vishing“. These attacks exploit human tendencies of wanting to be helpful to people in need, trusting those with some form of authority, or even just being curious or greedy.

Illustration from the Privacy Commissioner of Canada, www.priv.gc.ca

Illustration from the Privacy Commissioner of Canada, www.priv.gc.ca

Phishing awareness training is needed at all levels of your business – even CEO's have been caught by phishing scams. By claiming to be a system administrator who needs your password to fix your account, or your credit card company needing to verify your credit card number and expiration date, or someone from far away who will give you millions of dollars as soon as you send him some money first….these are all ways to gain unauthorized access to systems or information in order to commit fraud or identity theft.

4 Tips to Avoid Being a Victim

  • Install a firewall and anti-virus software on your computer.
  • Be suspicious of emails from financials institutions or other organizations that ask you to provide personal information online. Reputable firms never ask for information in this manner.
  • Look closely for clues to fraudulent emails like a lack of personal greetings and spelling or grammatical mistakes.
  • Verify a phone number before calling it – if someone left you a message or sent an email claiming to be from your financial institution, make sure you check that the number is the one printed on the credit card or your bank statement.

 

Celebrate Data Privacy Day with Information Managers!

Follow Data Privacy Day around the world using Twitter and #DPD15.

We are proud to be a Data Privacy Day Champ!

DPD_profile_icon (All Platforms)

#DPD15, phishing, Practical Privacy Coach

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"I did think that the info session was interesting on how many tools can be created and intertwined for the use of the patient. I do find the sessions good."

--Practice Management Nugget event, 'Engage your patients using automated tools' with Karol Clark

- Debra from Spruce Grove

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}