Tips to prevent 'quishing' and protect patient data

QR codes designed to improve data transfer can entice healthcare data breaches. Sharat Potharaju of Beaconstac shares advice on how to safely bolster data security while providing patients the ease of mobile access.
By Andrea Fox
04:21 PM

Photo: Marko Geber/Getty Images

Because mobile devices are generally security weak points for organizations, QR codes that are designed to ease processes such as image file transfers may leave protected health data vulnerable.

Sophisticated bad actors can replace a genuine QR code with a clone that redirects users to a similar website where patient and personal data can be intercepted. They can also use email to embed their fraudulent QR codes into legitimate-looking emails, also known as "quishing." 

Healthcare IT News asked Sharat Potharaju, co-founder and CEO of Beaconstac, which offers a QR code platform, to discuss why the matrix barcodes appeal to cyber criminals and how healthcare organizations can protect patient data from being compromised in a QR code exploit.

Q: What are QR code exploits and how are healthcare IT systems vulnerable?

A. "Scan scams" have become an almost daily occurrence, increasing more than seven times in 2022. 

QR code phishing, in particular, puts patients and healthcare organizations at risk for identity theft, data breaches and malware infestations. Cybercriminals trick patients or staff members into scanning a QR code, which sends them to a website that appears legitimate and prompts them to share personal data or log-in details. 

Hackers steal sensitive information, such as medical history, insurance information, social security numbers or other personal identification data, to gain access to patient portals, provider networks and other digital services. 

Because it has a market on the dark web, patient data is a very tempting target. In fact, one patient record sells for upwards of $1,000 on the black market, depending on its level of detail. That dollar amount is nearly 50 times higher than standard credit card records.

Q: How can HIT block such exploits? Can healthcare organizations still use QR codes?

A. QR codes help organizations improve communication, transparency and information between providers, caregivers and patients. 

To secure this technology, healthcare organizations should leverage a QR code generator with built-in features like single sign-on, multifactor authentication, custom domain and user management. 

The second critical piece is a QR code platform with incident management tools and security measures subject to regular comprehensive audits. 

However, education also helps block QR code exploits. Healthcare organizations must train their employees and patients on the safe use of QR codes, including how to identify and avoid phishing scams, malware and other security threats. 

Q: How do we enable patients and others to feel cyber-safe using QR codes?

A. Encourage patients to verify the authenticity of the QR codes they scan before sharing personal information. 

Many people open a link right after they scan a QR code without even checking the link, which poses privacy and security risks. Patients need to check the website or app URL linked to the QR code or use a reputable QR code scanner app to confirm the destination’s trustworthiness.

Patients should also only scan QR codes from verified sources, such as their healthcare provider's website, app or printed materials. If a QR code appears suspicious or comes from an unknown source, patients should not scan it.

Additionally, patients must take caution when sharing personal data – like medical history or insurance information – through a QR code. They should only provide this information to trusted healthcare providers providing proof that information is transmitted securely and encrypted.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.