How to Protect Your Electronic Records Against Phishing

In May 2017, thousands of Google users received an email invitation to open a document in Google Docs. However, in the few clicks it took to access the document, criminals were granted access to the user's email and contacts. While the email appeared to be legitimate, the communication was a part of a sophisticated phishing scheme that convinced users to give strangers access to their Gmail accounts. 

Though this phishing attempt targeted a popular email and document service, criminals may pose as any business to collect sensitive information. Your electronic medical records (EMR) provider ensures that your records are safe from malware, hackers, natural disasters, and catastrophe, but criminals may still try to trick you into granting them access by sending deceptive emails that appear to be from your provider. As a behavioral health professional, be on the alert for such phishing attempts that may cause you to unintentionally expose sensitive data.

What is phishing?

Phishing commonly takes the form of emails that impersonate a legitimate business and convince you, under false pretenses, to divulge sensitive information such as your username and password. For example, you may receive an email that appears to be from your EMR provider asking you to reply with your login information to verify your account.

Criminals, known as phishers, disguise the communication so that it appears authentic. Phishing messages may look like the emails you would typically receive from the company, and the communication may even contain personally identifiable information, such as your name, your phone number, or your company's name. 

How to detect phishing

If phishing can be so convincing, how can you possibly avoid it? There are a few checks to help you determine if a message is a phishing attempt:

• Were you expecting the message? For instance, is this a response to a password reset request?
• Does the email ask for sensitive information, such as your password, your credit card number, or even identifiable information about your clients?
• Hover your mouse over the links and images in the email. Do the URLs that appear match the company's genuine domain exactly without any variations?

If the message is unexpected, asks for sensitive information, or leads to an unfamiliar website, be suspicious; it may be a phishing attempt.

If you decide to click on the link provided in the message, first confirm that the website is secure, designated by https:// in the URL and a lock icon in the address bar, before proceeding. Nevertheless, proceed with caution: even malicious websites may appear secure in order to gain your trust. When dealing with your EMR or other websites that handle sensitive data, also check that the website has an extended validation (EV) certificate. An EV certificate confirms the identity of the organization who owns the website and clearly displays the name of the company and its country of origin in green in the address bar, giving you comfort that you're in the right place. For example, the image below shows how Google Chrome displays TherapyNotes' EV certificate:

However, the safest way to navigate to any website is to open your browser and type the website directly into the address bar. Your browser will still display https://, the lock icon, and the EV certificate when available.

What to do if you detect a phishing attempt

Never reply to any email with your username and password or other sensitive information, and if you're suspicious, don't click on any links in the email. Call or email your EMR provider directly (do not reply to the email) to verify the authenticity of the message and report suspicious activity.

If you become the victim of a phishing scheme, follow these steps:

• Contact your EMR provider to let them know that your account has been compromised
• Change the password for your account immediately
• File a complaint with the Federal Trade Commission (FTC) at www.ftc.gov/complaint
• Visit www.identitytheft.gov to minimize your risk of identity theft

If you provide unauthorized parties, even if unintentionally, access to your electronic medical records or sensitive client data, you must issue a notification to the affected individuals, the Secretary of the US Department of Health and Human Services (HHS), and relevant media outlets (when applicable) in accordance with the HIPAA Breach Notification Rule.

Following good security practices online is especially crucial when using an EMR or any software that handles sensitive information about yourself or your clients. Trusted businesses like TherapyNotes will never request your username and password or sensitive client data via phone or email. Treat any attempt to collect your username, password, credit card number, or other personal information with suspicion.

For additional information, read more about phishing from the FTC. For details on protecting your TherapyNotes account, read How To: Detect and Report Phishing Scams from our Help Center.