Archives     Advertise     Editorial Calendar     Subscribe     Contact Us    



NMGMA: Ten Minute Takeaway


 
Jackson Thornton's Nic Cofield shares the devious means criminals use to gain access to PHI.

The second Tuesday of each month, practice managers and healthcare industry service providers gather at KraftCPA headquarters for the monthly Nashville Medical Group Management Association (NMGMA) meeting.

During the June luncheon, Nic Cofield, business development manager for Jackson Thornton Technologies, spoke about the importance of protecting your practice in the age of the healthcare hack.

Cofield helps educate and protect companies and practices against cybersecurity threats. He noted many healthcare organizations have taken significant steps like encryption and installing firewalls to safeguard their practice and protected health information (PHI). While providers have gotten smarter ... so have the bad guys who now target specific information. The biggest weakness facing security for employers, he said, is the education of employees and staff.

"In most situations, incidents caused by employee actions are not the result of malicious intent. Rather, the majority of cases stem from a lack of understanding and an overall sense of complacency," explained Cofield.

The five biggest threats to organization's cybersecurity are phishing, vishing, SMiShing, USB baiting, and impersonation and tailgating.

Phishing is the deceitful practice of sending emails pretending to be from reputable companies in order to compel someone to reveal their personal information, like passwords and credit cards. For example, the email from a prince of a foreign country claiming you've come into a large sum of money if only you'll send your social security number. Of course, criminals have gotten much more sophisticated with the bait the days.

Because newer safeguards are being taken, hackers have evolved to spear-fishing, which is a more targeted way of phishing using social media platforms in order to obtain information like club affiliations and member organizations to personalize and target the attack. A little detective work can make an email seem much more legitimate.

Cofield recommended employees pay extra attention to email URLs and improper grammar, which is often a sign the email has been sent by someone for whom English isn't a native language. He said extra precautions are especially necessary for any message requesting document downloads, requiring quick action after sharing frightening information, or any type of online banking alert.

Vishing, which is similar to phishing, finds the attacker using the phone to impersonate trusted sources or authorized organizations. Vishing most commonly targets areas of highly focused customer interactions, like the front desk or billing.

Sometimes the scam utilizes two calls with the first being reconnaissance and a follow-up caller using the information collected to make an information request seem more legitimate, One example might be the impersonation of IT support with a request of password information to download a software patch or update remotely.

Another threat that is gaining popularity is SMiShing, which utilizes text-based hacks and tricks users to download malicious software onto the device. Typically, the text says action is required and includes a link.

Attackers also utilize in-person methods of hacking through USB baiting and impersonation and tailgating.

USB baiting involves planting a USB device with the goal of having a user find the device and plug it into a computer. For example, a guest might drop a USB device in the lobby or inconspicuously lay it on the edge of the front desk before leaving the building. The hope is that a good Samaritan will plug in the device to see if they can obtain any information about who left it behind in order to return it. When they do this, the hacker is able to encode malicious software into their system.

Finally, hackers are able to utilize impersonation and tailgating to gain access to sensitive information. Social engineers are now posing as technicians, delivery people, and pest control reps amongst other things in order to exploit weak access controls and gain physical access to restricted areas. Cofield said a vishing expedition could uncover the name of a network provider. With a quick internet search, it's easy to download a logo from that company and have a polo shirt made with the emblem on it to look official.

These people can also 'piggyback' off of authorized users in order to gain access by asking for someone to hold the door for them or claiming to have left their access badge at home.

Cofield said the best way to prevent these hacks from occurring is to make sure employees are aware of these situations and know how to react in each scenario. He also suggested training should go beyond basic education and that companies should implement a Security Awareness Program that has a set routine of education and training sessions that can be scored and tracked on an ongoing basis. For those in the medical profession, the HIPAA Security Rule requires the implementation of these programs for all members of the workforce. Employees should be regularly tested on their knowledge to make sure that everything is implemented correctly and to address areas of weakness.

While all of these safeguards are important and should be implemented, Cofield emphasized that it is still crucial to constantly update your system and procedures in order to maintain safety and try to stay a step ahead. "If someone wants to get to you, they'll get to you," he cautioned. "What additional layers can you add? What policies can be put in place?" Cofield questioned.

People make mistakes, he said. Therefore, it's important for organizations to understand the many different ways in which systems can be compromised, create a security awareness program, and then train, test, and retrain employees regularly to try to minimize risks.

For information on upcoming NMGMA events or to learn more about the association, go online to nmgma.com.

WEB:
NMGMA
Jackson Thornton Technologies

 
Share:

Related Articles:


Recent Articles

Alexander Leads Bipartisan Support for Accelerated FDA Reviews

By a vote of 94-1, the U.S. Senate has sent President Trump a bill addressing FDA user fee agreements meant to speed up the Food & Drug Administration's review of new drugs and devices.

Read More

BlueCross BlueShield of Tennessee Partners with TN HIMSS and Belmont University to bring HIT Workforce Education to Chattanooga Region

The Tennessee HIMSS Chapter and the Center for Executive Education at Belmont University will partner with BlueCross BlueShield of Tennessee to bring a 14-week certification program to healthcare information technology (HIT) professionals in the Chattanooga region.

Read More

Alzheimer's Foundation Of America Seeking Nominations For Dementia Care Professional Of The Year

The Alzheimer's Foundation of America (AFA) is now accepting nominations for its 2017 "Dementia Care Professional of the Year."

Read More

Addressing Adolescent Angst in a Digital World

Growing up can be difficult in a digital age. Dr. Jess Shatkin shares insights on how primary care providers can support parents in an age of increasing adolescent anxiety and depression.

Read More

Leading the Way

Child neurologist Jeffrey Neul, MD, has been appointed director of the Kennedy Center at VUMC.

Read More

TJC Sharpens Focus on Healthcare Access for Children

Always a champion for children's health, the Tennessee Justice Center is taking more steps to ensure coverage for nearly a million Tennessee kids.

Read More

You Be the 1

You Be the 1 campaign, started by local couple John & May Bumpus, hopes to reach struggling teens through kindness and empathy and connect them to area resources.

Read More

Pediatric Rounds

The Children's Hospital at TriStar Centennial officially celebrated the opening of its new pediatric emergency room last month.

Read More

NMGMA: Ten Minute Takeaway

Phishing, Vishing, SMiShing ... there are an array of sophisticated methods that cyberthieves can use to access PHI.

Read More

Cash in Hand

With increased patient responsibility, collecting for healthcare services can be difficult ... but there are some best practices providers can put in play to maximize timely payments.

Read More

Email Print
 
 

 

 


Tags:
Cybersecurity, Hacking, Impersonation, Jackson Thornton Technologies, Nashville Medical Group Management Association, Nic Cofield, NMGMA, PHI, Phishing, Protected Health Information, SMiShing, USB Baiting, Vishing
Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: