Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
As a health professional, you may have migrated many of your business dealings to the Internet. You may work on a variety of virtual platforms. With most of us getting hacking notices from banks and hospitals who have been hacked and compromised our personal data, there should be no surprise that the personal information that you enter into the Internet is susceptible to cyberattacks — or that your client’s or patient’s Protected Health Information (PHI data) is being compromised because of your unfamiliarity with needed precautions.
Hackers use personal information illegally for their benefit and can cause significant emotional as well as monetary harm. Returning from a serious cyber-attack can quickly drain reserve funds and stress a group to the breaking point. The impact of a single successful cyberattack can cause serious damage for several years or bankrupt the effort altogether.
But you can protect your own as well as your client or patient PHI data by knowing more about the following types of cyberattacks and following the quick, easy, and effective precautions that anyone can implement immediately.
1. Malware Cyber Attacks
Malware is a broad term that encompasses various harmful software meant to penetrate, spy on, or construct a backdoor into a system. Ransomware, worms, trojans, adware, and spyware are all examples of malware. It is often downloaded unintentionally by clicking on a malicious link or deceiving a user into believing they are downloading something legitimate when they are not.
Learn to recognize strange links and pop-ups that could contain malware to help limit the risk of infection. In addition, keep your operating systems updated to fix security flaws. Most importantly, install anti-virus software to prevent, identify and defend yourself from malware.
2. Phishing Cyber Attacks
A phishing attack occurs when an attacker attempts to dupe an unsuspecting victim into disclosing sensitive information such as passwords, credit cards or social security numbers, and intellectual property. It takes the form of an email claiming to be from a trusted and legitimate source.
The best way to protect yourself from phishing attacks is to be alert and recognize a suspicious email or text message and refrain from clicking on it. Don’t click unexpected or unexplained links from people you don’t know. If you get an unexplained link from someone you know, reply to the email and ask the original party if they sent it to you.
Taking an extra minute to look at the root of a link can often belie the truth about its source. For example, if you receive a message on your phone telling you to click a link to get more information about a free gift from American express, look to see the root URL in the link provided. If it isn’t americanexpress.com, look again. Many mobile device attacks come from an unidentified source that uses a logo they lifted from a reputable site such as American Express but isn’t actually American Express. It might be http://amex.somethingelse.com.
Further, suppose you work for a larger group that can afford an Information technology specialist. In that case, they can be enrolled in certified training programs or use advanced security measures that come with anti-phishing technology.
3. Distributed Denial of Service Cyber Attacks (DDoS)
A Distributed Denial-of-Service (DDoS) attack floods systems, servers, or networks with unauthorized requests in an attempt to disrupt your system. In contrast to traditional denial-of-service attacks, which are detectable by most firewalls, a DDoS attack can use multiple compromised devices to attack your system with unmanageable traffic. When a DDoS attack is successful, the system is frequently forced to go offline, increasing vulnerability to other types of threats.
DDoS attacks can be mitigated by using a reputable hosting company with a verifiable history of “uptime” above 99%. Objective third-party sites are available to make sure that your hosting company is as safe as you need. During a DDoS attack, your host should be relied upon to block all traffic for a short period, rate-limit traffic to your website, use a web application firewall to detect suspicious traffic patterns, or scatter your traffic across a network of servers.
4. Man-in-the-Middle (MitM) Cyber Attacks
Man-in-the-Middle (MitM) attacks, also known as eavesdropping attacks, occur when an attacker intercepts two parties’ communication to spy on the victims and filter and steal data. The two parties involved usually communicate, but the attacker illegally modifies or accesses the message before reaching its destination. The most common entry points of this attack are- Public WIFI connections and software installations. The result of a MitM attack is that your client or patient’s PHI data can be compromised when they enter into a website such as your patient portal, log into a platform to meet with you for a video call, and many other ways they log in using WIFI.
Surprisingly, many high-end hotels and medical offices offer free WIFI services to their clients and patients, knowing that such services are not secure. You may check yourself into a hotel for example, and during your evening, access your email to check correspondence, log into your bank to verify bank balances for planned purchases during your time away from home, and order tickets to a show for the following evening. Doing so on a public WIFI system will give potential attackers access to your email account, bank account, and possibly your credit card numbers. Using the hotspot setting on your mobile phone will keep you much safer.
End-to-end encryption protocols, such as Transport Layer Security (TLS), are the most effective defense against MitM attacks. Furthermore, using a VPN to access networks via public WiFi will ensure that any information shared during that session remains private. Many newer mobile phones allow you to simply toggle on a VPN setting at no extra cost to you. Check your settings tabs to find it.
5. Credential Stuffing Cyber Attacks
Credential stuffing is a type of brute-force cyber-attack in which hackers use stolen usernames and passwords from one data breach to gain access to user accounts. It is possible because, according to statistics, 65 percent of people use the same password for multiple accounts.
Also, change your passwords for different sites. An easy connection is to think of a residential address from your childhood. It most likely contains a number, a capital letter, and a period in the abbreviation such as St. or Ave. Alter that address for every website in interjecting the first letter of a website, and voila, you have an easy-to-remember formula for making a relatively simple password for each website. Using suggested strong passwords is always a good option. Passwordless fingerprint, facial recognition along with the more complicated and time-consuming multi-factor authentication software are the best ways to protect against credential stuffing attacks since they eliminate the need to use stolen credentials.
6. Password Spraying Cyber Attacks
Password Spraying is a type of brute-force attack in which hackers try to guess a user password from a list of common passwords, such as:
- [your birthday]
Password spraying attacks, like credential stuffing attacks, can be mitigated by using passwordless authentication or multifactor authentication (MFA). The National Institute of Standards and Technology (NIST) Password Guidelines, which are widely regarded as the highest password standards in the world, can limit the danger of a data breach. More specifically, they require that passwords include at least 32 bits of data and be hashed with a one-way key derivation function. If the thought of researching hashed passwords doesn’t excite you, just avoid using passwords that are obviously too simple. Regardless of where you go or who you hire, make sure to use complex combinations of letters, digits, capitalization, and even blank spaces when allowed. If someone tells you that it is acceptable to use simple passwords, don’t believe them. Change your passwords often.
7. Mobile Device Cyber Attacks
Cybercriminals target mobile devices as their usage increases year after year, putting organizations at risk of a data breach. This type of attack can often turn on your camera and microphone, enabling the criminal to monitor you if you click an infected link.
When in doubt, err on the side of caution. To defend yourself from mobile security threats, you’ll need robust Enterprise Mobility Management (EMM) programs and Mobile Device Management (MDM) technologies, which will help you protect your PHI data.
Staying ahead of cyber evil-doers is a challenge, particularly now when many precautions have been waived because of COVID. One can never be too alert to protect your own as well as your clients’ or patients’ PHI data. Go about your business, but educate those who rely on your professionalism by remaining vigilant when using the Internet.
Is It Time to Earn Your Telehealth Certificate?
Telehealth Compliance Requirements Are Returning
Enforcement is headed our way. Improve staff competency and compliance with evidence-based telehealth BCTP® certificate training. Three levels available. Manage risk and distinguish your services now.