QR Codes Are a Double

Mary Blackowiak is the director of product management and development for the endpoint and mobile security portfolio with AT&T Cybersecurity. She has more than 15 years of B2B marketing and product management experience in the high-tech space, including positions with Forcepoint, NSS Labs and Best Buy for Business.

In the quest to deliver personalized, relevant and more immediate healthcare, automating selected processes is one way to meet the challenge. Streamlining data exchange between providers and patients has terrific applications, such as providing access to information about a diagnosis or wellness education. One way to direct patients to this information is by QR code (see this example from a rural healthcare organization in southwest Iowa).

A QR code is a 2D barcode used to access online information quickly, typically through a smartphone camera. QR codes were invented in Japan in 1994 for labeling automotive parts, adding speed and accuracy to that process. Today, QR codes can be found on everything from baked goods to restaurant menus, TV ads and posters. They are easy to generate and intended to take users to a specific web location to share or collect relevant information.

Using a QR code to access information is relatively low-risk. Patients tend to be passive participants in healthcare scenarios. However, after scanning a code for data collection, patients may be asked for personal information to schedule or preregister for an appointment. At this point — as patients share private information with a data collector — the risk of using QR codes becomes exceptionally high. The patient has no way to verify that the data collector is legitimate.

Click the banner below to explore zero trust and its benefits for healthcare.

Here’s how this scam works: A QR code is replaced with a clone that redirects users to a fake website that looks like legitimate — duplicated logos and wording, similar enough to a trusted site. Once a patient arrives and begins providing data, it’s intercepted by bad actors. These scan scams have increased more than sevenfold in 2022 from previous years.

Fake QR codes are also used in outbound email campaigns, encouraging patients to scan a QR code that directs to illegitimate sites aiming to collect personal information or login details. Information such as medical history, Social Security information, personal identifying identification, access to patient portals and more are gathered and potentially sold on the dark web.

In terms of cybersecurity, QR codes are considered part of the overall attack surface. It’s just one more thing to worry about. At the same time, communication staff want to use them and are training patients to engage in unsafe cyber behavior by asking them to trust something that seems innocuous. It’s frustrating — QR codes deliver real value when they’re used effectively, but they will never be without risk.

The sheer ease of engagement with patients and the ability for providers to easily update information creates a frictionless and near real-time experience. While it’s possible to generate QR codes with security features (such as single sign-on, multifactor authentication and more), every additional step removes the simplicity of using a QR code to direct patients to critical information.

Cyber adversaries will attempt to compromise QR codes because the volume of codes, combined with the targeted user base relying on them, provides a juicy target. The task of health IT teams is to outsmart the cyber adversaries and ensure the QR codes used are less likely to be tampered with.

EXPLORE: Tips on how to keep mobile devices secure in healthcare.

Reduce the opportunity for cyber adversaries to capture patient data by teaching patients good cybersecurity habits. Here are several best practices patients should follow when interacting with QR codes:

Creators of QR codes can help by using companies that offer secure QR code generation and the ability to customize the domain with the healthcare organization’s brand. Set a policy for the organization and ensure everyone on the team knows where to get approved codes.

Overall, QR codes safety comes down to good cybersecurity hygiene. Let patients know about the convenience and simplicity of QR codes and teach them how to be good QR code consumers by passing along these tips.

UP NEXT: Learn security best practices for modern workspace management in healthcare.