Cybercriminals are more of a threat to securing patient data than ever before. Employ these tactics to better prepare your staff.
What if your smartest and most trusted employee turned out to be the one person who unintentionally sabotages and destroys your practice?
This unfortunate turn of events can occur when physicians and medical employees are not trained to prevent stealth attacks by cybercriminals. The kind who uses fake emails and other tactics to access a company's data and hold it hostage until ransomware demands are met.
Healthcare is particularly vulnerable to this type of cybercriminal activity, which shows no signs of slowing down. In the past couple of years alone, ransomware attacks have frozen patient data in medical facilities from Hollywood to London and around the world. Currently, an estimated 93 percent of spam contains a ransomware payload. And nearly 90 percent of healthcare organizations have experienced data breaches, according to the Ponemon Institute's sixth annual report assessing this issue, with human error accounting for 80 percent of those breaches.
Because ransomware attacks and data breaches can severely damage the reputation and bottom line of a medical practice, it is critical to develop a cyber-savvy staff. To achieve that goal, healthcare employees must learn to recognize the security risks that can be lurking in ordinary activities such as accessing emails, viewing social media images, or setting passwords. Here are a few approaches to arming employees with the tools they need to defend themselves from hackers:
Cyber criminals rely heavily on phishing scams using fake emails to lure unsuspecting employees to open messages or click on links that serve as pathways for malware to infect computer systems. Once they slip inside your network, hackers can lock up a computer network and make ransomware demands or steal sensitive personal health information.
One way to deflect this type of attack is for medical firms to conduct their own simulated email phishing scams to expose employees to common cybercriminal ruses. Arthritis & Rheumatism Associates in Maryland conducted one such exercise and found that approximately 15 percent of the company's employees fell for the scam.
Significantly, neither the number of years on staff nor the job title of the employee made a difference in those results, as both physicians and non-clinical staff failed the test. In response, administrators required employees to complete a training module to learn how to avoid the problem in the future. To keep pace with constantly evolving cyber-threats, managers can repeat this type of simulation from time to time and also provide staff members with updates on the latest digital dangers.
Safeguard social media
In addition to spreading ransomware through spear phishing, cybercriminals are also transmitting it through images and graphic files shared on Facebook or LinkedIn. Preventing this type of infiltration requires employees to be vigilant about avoiding infected downloads. First, everyone on staff needs to know that social media websites should be able to display photos or images without the user having to download anything.
If a user clicks on a social media image and the browser starts downloading a file, the file should not be opened. Other images that should not be downloaded or opened have unusual file extension letters such as "SVG," "JS," or "HTA," and not the common extensions like "JPG," or "TIF." In short, whenever engaging in digital communication -whether through social media or email - no one should download attachments from unknown people or sources.
Passwords are meant to protect sensitive data from the prying eyes of those who should not see it. These online gatekeepers are not always effective, however, because they may be too old or too easy for hackers to decipher.
By following a few "best practices" for creating passwords, employees can strengthen this line of defense and possibly avoid a costly ransomware incident. One effective tactic is to set a password to expire in a certain amount of time, say 90 days, at which point that password is re-set. In addition, a company can create locking accounts that cannot be accessed after five failed password attempts.
Once those attempts have failed, the account cannot be opened and must be reset by IT personnel. Employees can also be trained to create passwords that are complex enough to foil hackers yet easy for staffers to remember. For instance, the first letter from each word in a memorable phrase can be combined with numbers or punctuation marks to create a secure password.
Training healthcare staffers to avoid hackers' scams pays enormous dividends by preventing costly ransomware attacks and the potential loss of patients after a data breach. Along with technological firewalls and meaningful security risk assessments, employee training offers a key layer of protection against the ever-growing threats of cybercrime.
Art Gross is the president and CEO of HIPAA Secure Now!, which provides risk assessment, training and other security services to medical practices. He can be contacted at firstname.lastname@example.org.