Preventing a breach

Losing access to your clinical systems can significantly delay or even halt your clinic’s ability to operate. Understanding and recognizing the most common cybersecurity threats is critical for mitigating the risk of a security breach. This section shares tips on how clinics can reduce the risk of personal health information falling into the wrong hands and preventing the computer systems in your clinic from becoming inaccessible.

Phishing

Phishing refers to the act of tricking a person into revealing sensitive information, such as passwords or unique identifiers (e.g., PHN) by pretending to be a legitimate institution, like a bank, retail business or support center. This is the most common method criminals use to initiate a cyberattack which can result in losing access to your systems or having data stolen. Phishing attacks can come by email, phone, or text.

What could a phish look like? 

Historically, phishing attacks have shared common characteristics such as poor spelling and grammar, a tone of urgency, or evoking a feeling of guilt or sympathy. While phishes often do still have these characteristics, modern phishes are increasingly elaborate and may appear to come from familiar contacts. Phishes will ask you to take action, most often to click a link or open a file. This is how malicious software, or malware, gets onto your network. Phishes may also ask you to provide a phone number, whereby a fake call center will then collect personal information. This is why legitimate organizations will never ask you for passwords or codes. In health care, you may see phishes that appear to be: 

  • Requests from a patient to look at a photo, medical record or sign a form.
  • A denied or problematic payment, asking you to visit a link or open a file to check information.
  • A referral from a professional contact asking you to look at a chart, photo, or document.

How can I spot a phish? 

Ask yourself the following three questions when you’re unsure if an email is legitimate:

  1. Do I know the person or company contacting me? No --> Increased likelihood of phishing. Use caution.
  2. Am I being asked to open a link or file? Yes --> Increased likelihood of phishing. Use caution.
  3. Is there a tone of urgency or critical problem that I'm being asked to correct? Yes --> Increased likelihood of phishing. Use caution.

I deal with a lot of files and new patients. What are some simple ways I can reduce risk? 

If you allow patients to email you, set expectations for how they are to communicate with your clinic. Advise them not to send files and photos unless asked and inform them that you will not be opening links or files that they send unsolicited. Check out our sample communication templates for help setting expectations with patients. 

Use an antivirus program that includes phishing protections, like email attachment scanning or phishing link detection. There are many reasonably priced options. DTO can help explain different options on the market. 

Hover over any links provided, without clicking, to see where they take you. If the URL looks like it takes you somewhere different than is indicated in the email context, it’s a good flag to use caution.

Do a phishing simulation together with your clinic staff to learn the details of how attackers try to trick you. There are both free and paid options available. Contact DTO to learn more. 

Look at the DISPLAY NAME and the ADDRESS AND DOMAIN NAME of the sender. Refer to the example below for more information.

Display name vs. domain name

An email address has two main components that give information on who the sender is. Users can set their own DISPLAY NAME, but the ADDRESS AND DOMAIN NAME show the true online identity of the person who is contacting you. If these don’t match previous correspondence with the contact, or the message is from a peculiar and unfamiliar domain, it’s a good indication of a phish.

Example: Who is actually sending the email? 

Above are two possible examples of DISPLAY NAME and ADDRESS AND DOMAIN NAME for a familiar contact, Doctors Technology Office. These two pieces of information will appear in the “from” field in your email. How can you know which one is legitimate? 

  1. Check for previous emails sent to or received from Doctors Technology Office. The email address should be the same as the one you have on file and any others should be treated with suspicion. 
  2. Doctors Technology Office is part of Doctors of BC, a professional organization, and is likely to have their own domain. Think of the domain as an address used by others on the internet to find you. Mail may be delivered there, or your website may be hosted there. In this case, the domain is “doctorsofbc.ca”. Large corporate and professional institutions are more likely to own their own domain, while small businesses and individuals are more likely to be using free, hosted email services such as Gmail, iCloud, Yahoo, TELUS, Shaw, or Hotmail.
  3. When we look at the ADDRESS AND DOMAIN NAME above, we see that although both are showing a DISPLAY NAME of DTO Info, one is actually coming from gmail.com. 
  4. Lastly, the best way to verify is to contact the sender through another channel. If someone claiming to be DTO contacted you, you could find the phone number on the DTO webpage and call to see if someone was trying to get a hold of you. 

Ransomware

Ransomware is a form of malicious software, or malware, that is commonly used by modern cybercriminals. In a ransomware attack, files and systems are encrypted by a criminal who has gained access to your network, rendering them inaccessible to you. The criminal then demands payment to unlock your data or threatens to publish it on the internet.

How do ransomware attacks happen?

Modern software and devices have many safeguards in place by default to prevent attackers from being able to access them from outside your network. In order to carry out an attack, criminals must gain access to your network. There are several main methods by which this can occur, but the most common method is through phishing (see above). Other methods, such as the exploitation of known software vulnerabilities, are also common.

How do I know if I'm a ransomware victim?

If you suddenly lose access to your clinic network or computers, your files are unexpectedly encrypted, or you receive a note demanding payment, then you might be the victim of a ransomware attack.

How can I be prepared to deal with an attack?

Be familiar with the four key steps of responding to the breach, and have a breach response plan in place at your clinic before a breach happens. You can find more information on how to respond to a breach in the privacy toolkit.

How can I get my clinic back online?

Nearly all EMRs in BC are cloud-based. This means that your clinic applications and data are likely accessible from other locations and devices than just in your clinic. Your IT professional can provide information on how to continue to operate by accessing your cloud-based applications from a separate computer or network. If your clinic has a breach response plan in place, you can also refer to the contingency planning resources to help get your clinic back online.

What about cyberinsurance?

The Canadian Medical Protective Association (CMPA) is generally available to assist physicians with the medico-legal implications of breaches of patient information, including cybersecurity events.

Matters concerning the business of medicine, such as payment of ransomware demands, restoration of data, privacy breach notification to patients, forensic investigation or hardware replacement are not in the scope of CMPA services, highlighting a potential role for cyberinsurance.

Physicians who are interested in evaluating whether cyberinsurance is right for them can contact the Doctors of BC’s insurance team to learn more about insurance offerings exclusively available to physicians. 

The Doctors Technology Office is an initiative of the Family Practice Services Committee (FPSC), a joint partnership of Doctors of BC and the Government and BC.