The phishing threat to healthcare has been growing over the last few years. The 2019 HIMSS Cybersecurity Survey found that phishing appeared in 59% of significant security incidents across all healthcare organizations and 69% of incidents at hospitals alone. What can be done about the ongoing phishing attacks on healthcare organizations?
During a phishing attempt, an attacker poses as an authorized person or entity in an email to get the target to supply valuable information, such as credentials, or click on a link that leads to ransomware being downloaded on the victim’s system. It only takes one person to fall for an entire organization’s bait to be infiltrated and held for ransom.
See for yourself how ReferralMD can improve your patient referral process with patient engagement tools that reduce no-shows.
The good news is – you don’t have to be super tech-savvy to protect your healthcare organization from data breaches. All you’ve got to do is follow these four simple steps:
1. Audit your Organization’s current Cybersecurity Environment
When it comes to averting a phishing attempt, one of the usual pitfalls a company might sink into is presuming that its cybersecurity solutions are managed and maintained via standard risk assessments.
This assumption can cause considerable organizational issues, as the speedy development of technology and its use in healthcare has far surpassed any general assessment remit. For this very reason, healthcare organizations should conduct an ongoing and thorough assessment of their vulnerabilities.
“Cybercriminals are adept at modifying their malware and methods to stay ahead of traditional protections that organizations deploy, as seen by the rise in infections and sophistication of attacks in 2017,” Rahul Kashyap, worldwide chief technology officer at Cylance, said in a press release. “Companies must be aware of the threats, keep up-to-date with patches, and use defenses that protect against constantly evolving malware.”
Once you’ve identified the threats you might face, you’ll need to sit down and assess whether your current security protocols are up to the mark when it comes to defending your cyberinfrastructure. At this particular point, you’ll be evaluating all of your security measures to pinpoint weaknesses, whether it’s the need to improve outdated security processes, gaps in knowledge, or a lax approach to cybersecurity throughout your organization.
Prioritizing the risks within your audit is perhaps the single most important step in the entire procedure.
2. Leverage Technology-based Solutions for Enhanced Protection
Once you have identified risks in your current security model, you can then leverage advanced technological solutions for enhanced security of patient data.
Multi-factor Authentication (MFA) is one of the most sought-after options when it comes to safeguarding data; how it works: after someone enters their username and password, they have to enter in an additional code sent to their registered device, like a smartphone, before they can finally log in. This can amplify the security of your electronic health records (EHR) system and prevent non-permitted access.
Cloud Computing is another great option to protect sensitive medical data. Sophisticated security measures such as data encryption, filtering of access, and secure access login can easily be implemented by custom healthcare software development companies and service providers into the data cloud making it more secure than the conventional data storage techniques.
The foremost way to protect healthcare data from phishing is to prevent your employees from visiting an unsafe website. This can easily be achieved through the use of a web filter that is specifically configured to deny access to websites harboring malware and the ones that may come across as fake. This will further block the downloading of file types most commonly associated with malware.
3. Determine which of your Employees are Most Vulnerable
Despite the use of awareness campaigns and phishing simulations, employees remain vulnerable to phishing emails. Therefore, healthcare organizations must take important steps to explore employee susceptibility to targeted phishing emails.
One means by which this can be achieved is via targeted, fraudulent emails, which aim to persuade employees to download malicious attachments, click on malicious links, or transfer organizational funds and other sensitive data. This practice is commonly known as spear phishing. Identifying susceptible employees through this method will help you in targeting training directly to them. To prevent problems, you may want to limit their access to confidential data.
As per findings of one recent study published on ScienceDirect, the substantial variation in exposure to spear-phishing across job roles was reflected in employees’ relative awareness of the relevant procedures and processes, such as how to report a suspected phishing email, with those who regularly encountered potentially fraudulent emails or regularly reported emails as suspicious appearing to be more familiar with the reporting process.
Therefore, it is equally important for healthcare employers to ensure that frequent guest lectures or team discussions are conducted to keep employees across roles informed about how phishing attempts are made and what they can do in case they come across a suspected email. Training and awareness are two extremely essential factors that can help healthcare organizations in countering phishing attempts.
4. Segment Networks to Restrict Access
“Much of the challenge of safeguarding patient data is simply a matter of keeping sensitive information cordoned off from the rest of the network, making it more difficult for cyber attackers to reach it,” states the CDW white paper ‘Ensuring the Security of Patient Data’.
Deploying countermeasures, such as network segmentation, can help healthcare organizations mitigate the risks from common phishing attacks.
Network segmentation involves splitting the larger networks into smaller segments. This can be done by employing firewalls, routers, and other tools to restrict access to parts of a network and provide an added layer of security to PHI. Networks can either be segmented by function, such as separating human resources from the finance department, or data type, such as splitting PHI from non-regulated data.
However, healthcare organizations need to ensure that all of these solutions are used in accordance with the clauses mentioned within the Health Insurance Portability and Accountability Act (HIPAA).
“A lot of organizations basically have a strong perimeter on the outside and relatively few controls inside. The idea of segmentation is that finance does not necessarily need to talk to operations. Marketing does not necessarily need to talk to engineering or have access to engineering resources,” explained BlackRidge CTO John Hayes, in a recent interview.
Network segmentation lays the groundwork for controls that safeguard against lateral movement on the network by ransomware or hackers, preventing an infection or compromise from spreading across the network. Therefore, it is an extremely crucial step for healthcare organizations looking to battle data breaches.
The best way to combat phishing threats is to educate the users that are targeted. Security awareness training programs can help teach users good habits and be followed up by sending fake emails to test the users. Users that fail should be retrained and disciplined.
Other methods include educating employees on how to: never click on a link in an email, open the browser, and type the URL manually. If you get a request that seems unusual, pick up the phone and verify the request. Have a security policy for employees with specific examples of how to deal with possible situations. Look for poor grammar, typos, misspellings, or bad links to images in emails and websites.
Although phishing attacks happen to be an ever-persisting problem and healthcare organizations are highly vulnerable to these attacks, a lot can be taken care of with these simple but effective tips.