All Articles Clinical Career Medical-Legal

Don’t Get Hacked

As a physician, you are often the target of hacking, spamming, and phishing attacks. I’ll discuss the mindset necessary to avoid such issues in this article. It won’t be easy—I’ll say that immediately. The message is, don’t get hacked, keep your guard up, and assume all professional interactions are malicious.

The CEO Text Me

The CEO of a company I consult for texted me and asked me to do something. It was rather clever. We do, in fact, communicate by text, but not in the manner in which he texted me.

I reached out to him on LinkedIn, and sure enough, he confirmed that I was getting spoofed. The person was pretending to be my boss and making his messages and contacts seem to be coming from the CEO and the company.

The key is to assume all messages are spam until proven otherwise. Text messages from my friends and family should all be sent on the same channels in the same way. Anything out of the ordinary has to be flagged.

Getting Hacked is Inevitable

Let me set you free by telling you that getting hacked is inevitable; it’ll eventually happen to all of us if it hasn’t already. The goal is to catch it early and minimize the damage from it.

The risk of getting your medical account hacked is that it would expose patient data, which is an expensive proposition. Even worse, you, as the physician, could be held liable.

Lesson: Don’t be hard on yourself. The people who do this for a living are much smarter than us and have many more resources available. But you can help avoid making things worse.

Phone Call From Medical Board

A hacker will call, pretending to be from the state medical board, and demand money or access to your account. They will threaten you if you don’t comply immediately.

Ironically, the state medical board investigator who called me in 2018 pulled the same number on me. He was legit, but his mannerisms were atrocious, making me suspect he was spoofing, so I told him that until I got proof, I wouldn’t be communicating with him until I got proof.

Fortunately, he had also sent a letter to my work, which I could obtain, and I got a phone number to call him back at.

Lesson: Confirm any contact with anyone new, even if it’s the police. You can always call their place of work directly before taking any action. Anyone who doesn’t let you do that is up to no good.

Calling The Wrong Phone Number

The other day, my buddy wanted to call Etsy to discuss a chargeback. He couldn’t find a phone number, and chatting was too cumbersome. He decided to Google a phone number for Etsy, only to come up with a hacker’s call line.

Once he called, the person assured him they could help him. He just needed to download the Etsy customer service app, which controlled his phone screen. He then had to transfer some money and so on. You get the idea. A disaster.

Lesson: If you need to contact someone, get the number from the company website directly. Even the company website can be hacked, so you have to remain vigilant. It’s better to forgo the money than get your information hacked, so avoid installing apps you aren’t familiar with or require high-level permission.

Checking Messages When Tired

The habit of checking your phone early in the morning, right when you wake up, is bad enough. Worse is when you reply to messages, too, because you don’t want more to pile up later in the day.

Clicking on a link, replying to an email, or downloading an attachment are all risky.

Lesson: Avoid checking your phone first thing in the morning. If you do, check only what’s absolutely necessary and deal with any other requests or messages when awake.

Law Enforcement Messages

If you get called by a cop, attorney, malpractice company, or anyone else you believe is in a position of power, you must ensure that they are who they are. Are they asking you for any information? That’s a major red flag and a sign that you might be getting hacked.

Because these are sensitive situations, the best line is, “My attorney has advised me that I need to reach out to them immediately if I’m ever contacted by law enforcement.” If their reply is, “Why, do you have something to hide?” your reply should be, “I don’t have anything to hide; I just want to make sure that I do everything appropriately to comply with the law.”

Lesson: Buy yourself some time by confirming that who is contacting you is the person who should be contacting you. When dealing with any law enforcement, you should always have legal representation. I learned that the hard way.

Protecting Patient Data

If you have patient data on your laptop or access patient portals through your phone or laptop, you must safeguard them using strong passwords and multifactor authentication.

Your medical group will likely cover the expense of any data hacking, but they might also decide to ignore you. Demonstrate that you are taking all necessary precautions.

If you have a work device, use it only at home or work. Don’t get hacked by having someone have easy access to patient data.

Protecting Your Virtual Medical Practice

I get a shit-ton of emails on my work email, which are quite suspicious. I get text messages and phone calls to my business line as well. It’s hard to know which is a potential patient and which is spam or a hacking attempt.

The best method is to use a high-quality EHR partner who can safeguard your patient information. If you keep your patient data in the cloud, you should use multifactor authentication to safeguard that information.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.