Forget ghost stories, these frightening tales rob practices of money, time, and sanity.
Deception
For many of us, computer viruses top the list of frustrating IT issues to have. The following story makes our list due to its exceptional deceptive nature, and the frequency at which it occurs. The story goes like this: The victim receives a demanding pop-up message on their computer: “A virus has been detected on your computer. Please call this number immediately to remove.” What the victim doesn’t realize is that there is no virus at all; This is a phishing attempt.
For the record, this is the time to contact your IT partner – they should know when anything suspicious occurs.
The victim calls the number and is prompted to provide credit card information in order to remove the virus. Feeling pressured to solve the issue and get back to work, the victim provides financial information. While taking the victim’s personal information, the hacker simultaneously works to infiltrate the network to harvest and steal practice data. At the end of the phone call, the hacker has accomplished two big goals: theft of financial information and practice data. In just a matter of minutes, a devastating data breach has occurred.
Always consult your IT partner when suspicious activity arises. A good IT partner will immediately manage and guide you through the situation to ensure your safety and work to minimize the risk.
Ransom
There’s a new malware in town, and it’s more malicious and sneaky than ever. It goes by the name of ‘Ransomware,’ and it’s a corrupt file that holds a victim’s data at ransom. Ransomware is not a virus; it’s a file attachment that users have to manually download. Easy enough, right?
Unfortunately, these corrupt attachments almost always look legitimate. They appear to come from trusted sources (like Amazon, FedEx, etc) to entice victims to download quickly. Additionally, it bypasses all comforting safeguards in place (firewall and antivirus) because it looks and acts like a simple file attachment. Once downloaded, it locks up and encrypts as much of the victim’s network as it can, and holds it all for a hefty ransom. The ransom usually must be paid in bitcoin, so establishing a bitcoin account creates an even more stressful situation for the victim. Once the data is locked and encrypted by the hacker, only the hacker can release it. When affected by ransomware, victims have to either pay (we’ve seen demands up to $7,000!), or lose the data and utilize a previous data backup.
Never open attachments that you aren’t expecting. Ransomware cannot simply be removed or ‘fixed’ by your IT partner, so staff education is key to avoiding this malicious malware. It’s always better to call and verify with the sender to confirm the legitimacy than to take a chance and risk your entire network.
Fraud From Within
Our last story doesn’t start on the computer, but instead with your very own employees. The following scenario is more common than you’d think, although hardly discussed in the dental and IT industries.
We begin at an innocent practice, where everyone seems busy and focused on business as usual. However, the team is an employee with more sinister intentions. This person may be disgruntled, planning their exit, or maybe just newly aware of the vast array of sensitive, yet advantageous, information at their fingertips. Regardless of the reason, they begin harvesting and exporting patient data (credit cards, social security numbers, contact information, birth dates, etc.). They begin selling and/or using the information themselves.
After a while of the illegal activity (could be a week – could be years!), the practice finds out what has been going on. They may find out via numerous complaints of patient identity theft, financial discrepancies, etc. Depending on the practice’s existing policies (or lack thereof), the practice could be liable for the entire situation. If that employee was not required to sign paperwork detailing your practice’s adequate privacy policy, the practice will assume ownership for resulting data breach penalties and fines. HIPAA penalties range from $100 to $50,000 per violation.
Confirm your practice has adequate policies that protect from employee actions. If your practice does not have strict HIPAA-compliant policy documentation signed by all employees, begin creating and implementing a policy now. If your practice has policy paperwork, but you are unsure of how it protects you, revisit it with an expert at your soonest convenience. Additionally, work with your IT partner to implement controls on which data employees have access to. Generally, access should depend on the job. Avoid providing full access to all employees on a daily basis.
Though these scary situations occur frequently, partnering with a proactive IT partner that understands HIPAA compliance will help keep your practice safe from a multitude of malicious threats. Contact us if you have any questions, or would like to discuss these scenarios in further detail!
Posted in Tech News