Don’t take the bait of computer hackers
Ontario’s Information and Privacy Commissioner is warning physicians and their staff members to be aware of the threat posed by phishing emails designed to attack their computer systems.
“Some phishing messages are quite sophisticated,” said Brian Beamish, Information and Privacy Commissioner. “Public and health-care employees can be tricked into opening an infected attachment, clicking on a suspicious message link that downloads malware, or disclosing sensitive information to attackers on a fake web site,” he said.
When health-care organizations fall prey to a successful phishing attack, he said, it puts at direct risk the security and privacy of all records under their custody and control. The consequences of a data breach can be extensive and severe.
Ontario’s privacy laws require public and healthcare organizations to have reasonable measures in place to protect personal information in their custody or control.
Phishing is a type of online attack in which an attacker — using both technological and psychological tactics — sends one or more individuals an unsolicited email, social media post, or instant message designed to trick the recipient into revealing sensitive information or downloading malware. Malware (malicious software) is any software intentionally designed to disrupt, damage, or gain unauthorized access to a computer system.
The Information and Privacy Commissioner has put together some tips to help health-care custodians steer clear of a phishing attack.
How to protect against phishing attacks
You can protect your health records from phishing attacks by adopting the following best practices:
Filter incoming messages: ensure that your IT systems screen incoming messages to reduce spam and other unwanted content. “Anti-spoofing” controls can verify the authenticity of senders and make it difficult for attackers to hit their target.
Install malware detection and filters: use software that prevents, detects, and removes malware and performs real-time scans.
Keep browsers and other software up to date: malicious attachments and malware often exploit security vulnerabilities made possible by outdated browsers and other software.
Lock down workstations: hackers can exploit computers that allow software to be installed and settings to be configured by individual users. Restrict or disable administrative rights for normal users and limit the number of computers or accounts with high-level privileges or access to sensitive information. Individuals with high-level privileges should not share accounts or use them for non-work purposes.
Require employees to use unique, complex passwords: the reuse of stolen passwords is a major phishing threat.
Identify external messages: you can detect phishing messages more easily if all external messages are clearly labeled as coming from outside the organization or medical office with a prominent message.
Segment networks that contain sensitive data from other networks. You can limit the impact of compromised computers and accounts by restricting their access to other networks or systems. For example, public-facing webmail servers should be isolated from intranet systems.
Enable encryption on documents, devices, and databases that contain sensitive information, by default, to provide an extra layer of defence against unauthorized access, use, and disclosure by attackers.
Conduct regular phishing awareness and training. Send simulated phishing attacks to employees to test their awareness and knowledge of how to respond.
Verify the sender by carefully examining the “From” address, which should be consistent with the display name and the context of the message. For example, an email message claiming to be from a bank should not have an “xbox.com” address domain.
Do not provide usernames, passwords, or other access codes in response to an email request or unsolicited popup windows. Legitimate organizations never ask for this information via email and only collect it through their official websites or applications.
Do not open suspicious file attachments. If you receive an unexpected attachment, contact the sender (preferably by phone) to confirm that the attachment is legitimate. If you cannot confirm its legitimacy, delete it.
Never click on suspicious links. Hover your mouse over parts of the message without clicking on anything. If the underlying hyperlink looks strange or does not match what the link description says, do not click on it. Note that images can also contain suspicious links.
Do not respond to suspicious or unwanted messages. The best practice is to flag the message as spam or delete it.
If a successful phishing attack has occurred, contact the Office of the Information and Privacy Commissioner of Ontario for advice and further guidance. You can reach the IPC at 1-800-387-0073 or [email protected].
The purpose of this column is to address practice management issues that have a wide applicability across the profession. If you have any questions or topic suggestions for this column, please email them to [email protected].