…we are going to talk about something you may have heard before, social engineering and how it could affect your practice in regards to HIPAA.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hey everybody. Good morning, good afternoon, whatever it may be for you. This is Perry Barnhill with the Fearless Acupuncturist. Want to first give a big thanks to the American Acupuncture Council for sponsoring this show, and we are going to talk about something you may have heard before, social engineering and how it could affect your practice in regards to HIPAA.
Click here for the best Acupuncture Malpractice Insurance
Go to slideshow please. Okay. Again, another big thanks to the American Acupuncture Council for bringing this show to you. Okay. Social engineering, you may have heard of this before, so it’s all about, we’ve talked about this in our previous shows. We wanna plan, we want to prepare, and we want to protect ourselves and our practice from things like this, and so it doesn’t happen.
Get a Quick Quote and See What You Can Save
Or if it does happen, we can mini minimize the effects of it. So why do Julie and I teach hipaa? We understand what it’s like to have practices. We understand what it’s like to be concerned about hipaa. We also understand that HIPAA is a very complicated subject. We try to break it down to help minimize the stress in your offices, because if you know what it is you need to know for hipaa, it makes things much, much better.
Okay, so in the meantime, as people are starting to hop on this show, we want you to look at this and maybe consider taking this little quiz. So this quiz, it’s quick, it’s easy. One of the reason we did this quiz is because so many of the providers are not aware of exactly where they stand with hipaa. And simply by doing this quiz, you can see what your grade is.
It’s a few questions. It doesn’t take long, and it’ll give you a grade. Obviously, if you’re F or D, you need a lot of help. If you’re B, you may still need some help, so make sure you check it out and see where you’re at. You can scan the QR code here, or you can simply go to the website that we got listed below.
So what is social engineering and how does it work? Social engineering, it’s a form of psychological manipulation that tricks users. Users meaning us as providers in our offices and our staff, into making mistakes and giving away sensitive information. What do I mean by sensitive information?
Sensitive information in this context is. Patient information, anything you have on your patients be their name. It could be their address, it could be their email address, not just their conditions or not just a treatment that you provided for ’em. It can literally be any one of those things. So what happens is it relies on human error instead of vulnerabilities and software and in the operating systems by exploiting human emotions.
And here’s some examples. If you got an email that says it’s sent by a quote unquote friend, make sure you double check that before you respond. Messages relaying a troubling story about someone you may know or a message saying that time is running out messages that seem too good to be true, or offers that seem too good to be true and messages or offers of giving you help of things that you had never requested.
The sender, you can’t confirm their identity. So these just, these alone, if you pay close attention to ’em and you avoid clicking on the wrong thing, can save you so much time, so much stress, and a ton of money, and a ton of potential fines when it comes to hipaa. So the impacts to healthcare these days for these hacking incidences, it’s huge.
It’s responsible up to 75%. Of all the incidences in 2022, they include phishing, email, attach, and ransom, and malware incidents. 80% of all breached patient records in 2022, they were caused by hacking. This is why it’s a big deal to avoid this. Here’s the other thing, and if you ever wondered why are they doing this?
Guess what? They can sell files a single medical record. And when I say they, the cyber criminals, the crooks out there that steal this information for 250 bucks a file. So you can imagine 10 files. It’s a lot of money. A hundred files. It’s a lot of money. And most of us have all this information in our offices, so we have to protect it.
Common clues in social engineering, things that they trick you into, revealing information. Again, patient information, they can install malware onto your computers. And like I said earlier, it re relies on human error. Human errors from us as providers, human errors from our staff as well, not the software, the operating systems.
They trick us. They trick our brains. Here’s a little quiz I want you to think about and take hackers like to use social engineering techniques to trick you into making a security mistake like I’ve just talked about. They do this by adding these words or phrases to a message. Select the answer from the list below, sending a message with a sense of urgency.
Be including words that say, quick and time. Is running out c mentioning an illness of a family member or a friend, or what about all of the above? I think most of you probably got this. Yeah. The answer’s all the above. They do all kinds of things. They have this sense of urgency. They trick you into think it’s your family or your friends.
They’ll do anything they can to steal that protected health information. ’cause like I said earlier, it’s very valuable when they get it. What are the most common forms of social engineering? If you’ve watched some of our shows before, we talked about phishing, so make sure you see those things, those shows in the past.
But it’s social engineering uses email or malicious websites to solicit personal information by posing as a trustworthy organization. And now they’re doing this thing called spearfishing, and that’s also a form of folks. Social engineering. It targets a narrow audience, hence the word spear. These attacks, they’re more coordinated these days.
We’re getting SMS, we’re getting text messages, even staff, and they can trick staff through their phones to give things out that they shouldn’t be giving out. That could potentially get yourself some hot water. Here’s some examples. If you’ve ever got these before, whether it’s in an email or whether it’s in your text where they say, Hey, your bank account is locked.
You have, it’s a message claiming to be one of your credit cards. Maybe it’s American Express Chase, or whatever it may be, you know about some activity. That you may won a prize and if you click on it, if you click on any of these things, boom. They may be able to get into your systems. It must be a fake, but it’s also a funny attack.
Sometimes things are funny. You click on ’em and they trick you into going to these sites that we shouldn’t be going to. Unusual activity account messages that say you need to click to secure your data. So these five things here is just some of the things that. I would encourage you to talk to your staff about, so they play, a little extra closer attention to not clicking on the wrong sites or maybe asking you before they click on them.
Here’s a few boxes here. This alone can serve as a HIPAA training for you, yourself and your staff. Make sure you talk to these, your staff about these. And you be aware of these things, recognizing and reporting phishing. So four things to check when you suspect that an email might be a phishing attempt.
I’m not gonna read all the bullet points, but I want you to be aware the sender’s unfamiliar or unexpected, go through those bullet points, read those things, or the message doesn’t look right, it sounds funny, maybe the grammar isn’t correct. Double check those. Check the from address, you know who sent it.
Does it look legitimate? A lot of times you can spot a fake just because it just doesn’t look legitimate at all. Don’t click on that. Inspecting links and attached files. So again, share this with your staff because if we can prevent. An attack from happening, then we never have to report it. But if it happens, guess what?
We have to report it. We even have to tell the patients, sometimes you have to take ads out in newspapers to tell the public it happened depending on the sizes of these things, and that’s not to mention the fines of penalties that could happen as a result of this. Here’s a checklist, and again, this is a really good thing to share with your staff and for you to make mental notes of print it out, talk to the staff about these things, not recognizing the sender, not expecting an email or an attachment.
The from address looks funnier. It doesn’t match it. Invokes or sensing invoking a sense of urgency, not recognizing the destination. URL, is it a accurate website or not asking for login credentials. Bad grammar, bad spelling. It’s a greeting. The signature, is it generic or does it lack contact information?
Again, make sure that you share this with your staff. Now, of course, this isn’t enough to be HIPAA compliant, but again, if we can prevent these things from happening, we’ll be far better off in the end. So what are some next steps that you can do? What about questions? Couple things you can do. You can schedule a demo if you’d like to.
You can get started right away. You can go to fearless provider.com and slash demo, ask for one of the demos. We’re happy to hop on there and show you what we have here with our HIPAA program. You can scan the QR code here. Go right to it. You can get started. Just go to fearless acupuncturist.com. Get started with the HIPAA program.
Or you can contact me at Dr. perry@betterhippoblueprint.com. In the meantime, everybody, I hope you learn from the show here. Please pay close attention to those things and please share this information with your staff. In the meantime, I hope you all have an amazing day.