Vulnerable to Cyberattacks, Risking Patient Privacy and Health
Here’s how this scam works: A QR code is replaced with a clone that redirects users to a fake website that looks like legitimate — duplicated logos and wording, similar enough to a trusted site. Once a patient arrives and begins providing data, it’s intercepted by bad actors. These scan scams have increased more than sevenfold in 2022 from previous years.
Fake QR codes are also used in outbound email campaigns, encouraging patients to scan a QR code that directs to illegitimate sites aiming to collect personal information or login details. Information such as medical history, Social Security information, personal identifying identification, access to patient portals and more are gathered and potentially sold on the dark web.
In terms of cybersecurity, QR codes are considered part of the overall attack surface. It’s just one more thing to worry about. At the same time, communication staff want to use them and are training patients to engage in unsafe cyber behavior by asking them to trust something that seems innocuous. It’s frustrating — QR codes deliver real value when they’re used effectively, but they will never be without risk.
QR Codes Are Here to Stay in Healthcare
The sheer ease of engagement with patients and the ability for providers to easily update information creates a frictionless and near real-time experience. While it’s possible to generate QR codes with security features (such as single sign-on, multifactor authentication and more), every additional step removes the simplicity of using a QR code to direct patients to critical information.
Cyber adversaries will attempt to compromise QR codes because the volume of codes, combined with the targeted user base relying on them, provides a juicy target. The task of health IT teams is to outsmart the cyber adversaries and ensure the QR codes used are less likely to be tampered with.
Protect Patient Privacy with Good Cybersecurity Habits
Reduce the opportunity for cyber adversaries to capture patient data by teaching patients good cybersecurity habits. Here are several best practices patients should follow when interacting with QR codes:
- Check the web address of the scanned QR code for authenticity. Determine if the site looks legitimate. Are there typos or a character out of place? If so, do not proceed.
- Use your smartphone’s camera to scan the code and ensure your OS is current.
- Consider where the QR code is being displayed.
- Don’t enter personal information from a site served up from a QR code.
- Avoid downloading apps through a QR code. Use your smartphone app store instead.
- Run mobile security software.
Creators of QR codes can help by using companies that offer secure QR code generation and the ability to customize the domain with the healthcare organization’s brand. Set a policy for the organization and ensure everyone on the team knows where to get approved codes.
Overall, QR codes safety comes down to good cybersecurity hygiene. Let patients know about the convenience and simplicity of QR codes and teach them how to be good QR code consumers by passing along these tips.