Protect Yourself and Your Patients Protected Health Information
Social engineering sounds so pleasant, like someone making introductions at a party. Unfortunately, it’s actually the practice of manipulating someone to disclose confidential information. If you work for a large company you may have been warned about social engineering in the form of people trying to find out more about your business or break into areas of your company to which they should not have access, like thieves dressed as computer repair man walking out with a company’s servers. What you might not consider is that social engineering can be aimed directly at you, as an individual, or to your medical provider to fraudulently acquire your personal information including protected health information. Here are some scams to be aware of as both a medical employee and a private individual, and ways to protect your personal information.
The Call
One method frauds use to try to get your data is through neighbor spoofing. Once again, this fun term isn’t what it sounds. Instead, the thieves will copy part of a phone number you recognize in the hopes you will think it is the number of a company with which you do business. This call can be to an individual patient, or to a medical provider. The caller will pretend to be whoever you expected and use this expectation to get you to reveal personal information they can use to steal your identity.
If you are a medical provider and want to prevent your number from being used in this way, it is important to make sure your numbers will always show up on a caller ID as your business name. You may also want to consider third-party help to see if this has already happened to your numbers and how you can manage it. If you are the person answering the phone, verify who is calling. If the caller ID didn’t clearly identify the caller, ask to call them back through their mainline, not a number the caller provides. If it will be difficult to reach the person, let them know you will call them back directly on the line they’ve given after you’ve verified their details with the business.
Never reveal your social security number over the phone. One company used numbers similar to a hospital’s but then switched the script when their calls were answered, offering a bogus credit card application that required applicants to give all their personal information. Other times the caller may indicate that there is some sort of time-sensitive emergency to throw you off balance and throw out common sense. There is always time to verify before you give out information.
The Email
Phishing is another form of social engineering that affects email. Scammers can again act like someone they are not. Protect yourself by double-checking the email address itself, not just the name that pops up with the email. Often these email addresses will look “off” in some way or have an excess of jumbled numbers and letters. While responding to scam emails isn’t a good idea, the worst option is clicking on any links they send. Right now ransomware attacks on protected health information are exploding. Ransomware holds your patients’ information hostage, threatening to reveal it and make it available for any fraudster to use. Of course, the best way to avoid this type of attack is to have effective network security and email filters, but the fact is that there is no way to avoid all scam emails. Make certain you and your staff are trained on what to look for in these phishing attempts.
No matter what, if a provider is contacting you, they shouldn’t need excessive personal information to verify who you are. Work with them ahead of time to know what data they need to verify who you are before they give you personal information by phone. If you are a provider your employees need to use these same common sense tactics to protect your patient’s data.
