In recent years, many high-profile data breaches have made headlines.
Already in 2024, a ‘mother of all breaches’ exposed 26 billion records from sites like LinkedIn, Venmo, and X (formerly Twitter).
Healthcare organizations weren’t the target of this particular breach, but they’re increasingly under attack as cybercriminals try to exploit patients’ protected health information (PHI).
But what’s the biggest threat to health data security right now, and how can rehabilitation therapy practices minimize the risks? Here’s my take, as a Chief Information Security Officer with over two decades of experience in technology and information security.
Phishing: A Top Threat to Health Data Security
The top security threat to your rehab practice—and any organization, for that matter—is phishing.
A 2023 IBM report found that phishing was the number one infection vector, with 41% of attacks using some type of phishing attack.
What is Phishing?
Phishing is a simple yet incredibly effective cyberattack that relies on convincing people to share personal information. The attacker typically poses as a trustworthy entity—such as a bank or charity—and sends the target an email, text, call, or other communication. The goal is to get the person to provide their sensitive information, often over the phone or by clicking on a malicious link.
Even though phishing has been a preferred attack method since the early days of AOL, it is still incredibly effective. Bad actors continually improve their tactics, making the ‘bait’ less obvious and targeting high-value organizations—including outpatient practices.
Types of Phishing
There are five basic types of phishing attacks. They all rely on social engineering, but some are more sophisticated than others:
- Email Phishing. As one of the oldest and simplest methods, email phishing directs email recipients to fake websites that mirror legitimate ones. Sharp-eyed readers might sometimes notice that the email address is incorrect or a letter or two in the name has been changed. However, AI is increasingly closing these ‘tells.’ Bad actors may also pose as organizations or companies that recipients regularly work with, so they don’t look too closely at the email—especially during a busy work day.
- Spear Phishing. This is very similar to email phishing, but it adds a layer of trust by including personal information about the recipient. For example, it might address them by name or mention where they went to high school or college.
- Smishing. This tactic is similar to email or spear phishing but relies on text messages (SMS) rather than email.
- Vishing. Vishing involves attempting to get passwords or other data through a phone call rather than a link.
- Angler Phishing. This newer form of phishing uses social media rather than email. Cybercriminals may create posts, tweets, or even instant messages that target their victims. They often refer to data mined from the target’s previous posts, such as geotags or recent celebrations, which the target might not even remember they posted.
Other Top Data Security Threats in Healthcare and Public Health
According to HHS 450(d) (an educational project of the Health Sector Coordinating Council and U.S. Office of the Chief Information Officer) other top threats in healthcare data security include ransomware attacks, loss or theft of equipment or data, and attacks against network connected medical devices.
Why Do Cyberattacks Target Healthcare?
Healthcare providers are one of the most frequent targets of cyberattacks. In fact, IBM reports that breaches in healthcare organizations have surged over 53% between 2020 and 2023.
There is one simple reason for the rise in attacks: the value of healthcare data and patient information. Suppose an attacker can get into your practice’s systems. In that case, they have access to a treasure trove of information about your patients, including names, contact information, social security numbers, birthdates, diagnoses, and financial data.
It’s important to note that it’s not only the big guys—like major hospital systems—who are subject to cyberattacks. Even the smallest practice could fall victim to a costly phishing scheme, as a small urgent care center in Louisiana learned in 2022 after agreeing to pay $480,000 in restitution.
The Cost of Phishing Attacks
Sensitive patient information is protected and enforced by the Health Insurance Portability and Accountability Act (HIPAA), which means that breaches of patient data can be costly.
According to IBM, the average cost of a data breach is $4.45 million—but for health care organizations, that total more than doubles. It is the industry with the most expensive data breaches, averaging nearly $11 million.
Few practices can easily absorb that kind of expense. When you layer on lost patients, reputational damage, lost employee time, and recovery investments, the cost of a breach can rise even higher.
Staying Water-tight: How to Protect Your Data
To mitigate risks of cyber threats and protect patient privacy, there are a few key steps and best practices that all healthcare systems, organizations, and practices, need to take.
Security Awareness Training
The Healthcare Information and Management Systems Society (HIMMS) recently reported that nearly two-thirds of healthcare organizations struggle to stay up-to-date with the latest cybersecurity tactics due to limited time. Of the organizations that do offer some training, about 28% do so sporadically. Unfortunately, these practices are putting the their sensitive data and electronic health information at unnecessary risk.
A better approach includes regularly scheduled security awareness training—at least once every year.
Security and privacy training is one of the most effective things you can do to help reduce the risks of phishing attacks. Remember that these attacks rely on trickery and poor human security, so keeping data privacy top-of-mind for all your employees (from therapists to front desk admins) is a powerful first line of defense.
Web Filtering
Web filtering, also known as DNS filtering or simply web security, is a relatively easy-to-implement technical solution that can help limit the impacts of phishing. These software solutions analyze web content on the fly, comparing it to constantly updated blacklists of known malicious websites. If someone at your practice does click on a malicious link, web filtering can prevent the connection from going through. It can also halt drive-by malware downloads, block peer-to-peer filesharing, and stop other risky types of connections.
Multi-Factor Authentication
With multi-factor authentication (MFA), users must provide one additional bit of data after entering their password to confirm their identity. This could be a one-time code sent to their smartphone, a fingerprint, or even a facial scan.
MFA makes it more difficult for cybercriminals to access protected data, even if they manage to gain access to usernames and passwords. Because of that, MFA is considered a last line of defense—but it’s a powerful one.
Developing a Security Culture
Another important step in protecting against phishing attacks, as well as other forms of cyberattacks, is building a security-first company culture.
Here are some tips on how to incorporate security measures into your team’s daily routines:
- Help staff identify and avoid vulnerabilities. For example, simple adjustments—like directly typing, bookmarking, or looking up important URLs rather than relying on links from unverified sources—can make a huge difference in minimizing cybersecurity threats.
- Emphasize the importance of information security, even beyond the clinic walls. For example, employees should be cautious about what they share on social media. Personal information that can be found online is valuable to bad actors, who can use it to gain false trust.
- Above all, keep the lines of communication open. Encourage your team members to stop and check with peers or management if a communication feels “off.” Set up channels for them to ask security-related questions or get guidance on specific events.
Better Cybersecurity Practices and Your Software Systems
Phishing attacks against the healthcare industry are on the rise, and no practice is immune, regardless of size.
To protect both your rehab therapy practice and your patients, take a proactive approach to security. In addition to the methods detailed above, consider how your practice management platform and electronic health records (EHR) systems can partner with you in the protection of sensitive patient data. Data encryption, permissions and security controls, access records, and other features can help your security teams minimize risk.
Want more recommendations about security best practices? Take a look at my recent article on healthcare data security and your practice.
Here at Raintree Systems, we help physical therapy, occupational therapy, speech-language pathology and multi-disciplinary practices grow and succeed with scalable and robust software solutions. Raintree offers the only ONC-certified EHR system designed specifically for rehab therapy. Schedule a demo and learn why high-growth PT, OT, SLP, and multi-disciplinary practices choose Raintree.
Don Silva Sr. is Raintree Systems’ Chief Information Security Officer and VP System Ops & Infrastructure. As a senior leader with over 20 years experience leading Global Technology Teams across a variety of industries, he has helped companies grow, mature and align Security & Engineering Teams with business goals. Read Don’s full bio >
