Vigilance is a necessity in fending off phishing attacks. Phishing refers to malicious emails that look innocent but can cause organizational mayhem when an unsuspecting employee clicks on the bad links. A report found that 88 percent of healthcare workers have opened phishing emails and that phishing and other forms of cyber-attacks have seen a 75 percent increase since 2021. Once a hacker gains access to one area of protected health information or business records, they can wreak havoc on the entire system and cause financial and reputational damage that is difficult and very costly to repair. Phishing is part of a new wave of cyberattacks called social engineering. Social engineering is listed as the number one threat to healthcare cybersecurity. Beyond standard phishing, other variations used to gain access to critical healthcare records include: Smishing. Fake mobile text messages are used to trick people into downloading malware, sharing sensitive information, or sending money to cybercriminals. The term is a combination of “SMS” or “short message service” (the technology behind text messages) and “phishing.” Smishing with phone calls. Some attacks use a simple text and/or phone call to impersonate people or organizations to gain access to systems. The recent MGM Casino cyberattack is reported to have targeted an IT help desk employee with a fake call for access that ended in a large data breach that may have compromised tens of millions of customers driver’s licenses and Social Security numbers at a minimum. A cybercriminal may masquerade as a senior player “big fish” and directly target other senior players or other important individuals to try and steal money or sensitive information. Whaling is also known as CEO fraud as the attacker impersonates the top executive and directs others to transfer information or money. Business email compromise. This is a subset of phishing campaigns where attackers try to compromise email accounts to send out even more realistic phishing scams. This scam can target an unauthorized transfer of funds or other personally identifiable information like W-2 forms, etc. Healthcare email frauds have seen recent exponential growth of 473 percent. Sitting ducks attract phishing attacks. A HIMSS survey notes that 36 percent of non-acute care representatives reported their organization did not conduct phishing tests. Another report revealed that 24 percent of health employees in the U.S. hadn’t received any cybersecurity awareness training to know how to identify phishing scams. Healthcare remains a top target for cyberattacks due to the large amount of health, medications, and personal information it stores. Currently, 30 percent of all large data breaches happen in healthcare and the costs are staggering. The average cost of a healthcare breach is $10.93 million, compared to the average data breach cost for all other industries is $4.45 million. Healthcare organizations are behind other industries in having robust cybersecurity defenses. This is a combination of a lack of personnel and funding while also having to protect massive amounts of patient data and financial information. Plus, healthcare organizations often work with hundreds of vendors which increases the risk for a breach. Doing nothing or not much to protect the organization is no longer an option. Tips for healthcare organizations to protect against phishing and other social engineering cyberattacks. The best defense against cyberattacks is a strong offense. This means taking a proactive approach to have a strong security program. It also means conducting regular security training for employees. It is vital to have a security-focused culture throughout every area of the organization as it only takes one click to cause massive destruction. Four areas to include in your cybersecurity plan: Analyze exposure. Look at the threat landscape. Perform a security and privacy review. Look closely at the Business Impact Analysis (BIA) with vendors. A crucial step here is to use a third-party management program and have a contract with each vendor. Evaluate risk. Create and use a Risk Registry to document and fully evaluate the risk along with a mitigation plan. This allows you to prioritize items and have a central location for all incidents. This reduces the stress on the organization and allows the team a more organized way to work together. Have a weekly risk review meeting. Develop organizational security policies. Outline what the organization is doing to protect information, but also identify any gaps. Make sure you are compliant with legislation and meeting or exceeding industry standards. Provide security awareness training. Make sure everyone in the organization understands the policies and procedures. Explain the risks, like why personal devices cannot be logged into the network, for example. Remember that cybercriminals are constantly shifting their tactics. Be on the lookout for new threats and adjust the training at least annually. All employees should be required to take HIPAA Security/Privacy Training upon onboarding and annually thereafter. Employees should take Security Awareness training on a quarterly basis. This could be third-party administered. All users should be included in monthly phishing campaigns with remediation training for any failures. Include role-based training (e.g., Privileged User Training, Secure Development Training, etc.). This is important for users who have higher levels of permissions so they can better understand their risks and how to avoid falling for phishing scams. Provide clear Do and Do Not examples for everyone in the organization to help combat phishing and social engineering attacks. This includes things like: Do verify the source who is requesting any sensitive information such as your birth date or payment information before sharing that information. Do Not click on any website link before hovering over it to make sure it is secure and legitimate. Resources are available to support better security preparedness. Beyond phishing and social engineering, there is an urgency to have a solid and ever-evolving security plan. Here are resources that can help build or expand on your plan. Healthcare and Public Health Sector-Specific Plan for prevention, mitigation, response, and recovery. This online resource is from the Cybersecurity & Infrastructure Security Agency (CISA). There is segmented information, including specific resources for Healthcare Information Technology Management. There are numerous privacy and security resources available from The Office of the National Coordinator for Health Information Technology (ONC). A HIPAA Security Toolkit from the National Institute of Standards and Technology (NIST) can help organizations understand the HIPAA Security Rule. Check out this webinar on Data Privacy & Security Best Practices for Hospitals & Clinics from our team. One important security move for any organization is to become HITRUST CSF®-certified. HITRUST CSF is the most widely adopted security framework with a thorough certification program for healthcare organizations. This globally recognized approach supplies a comprehensive, flexible, and efficient approach to regulatory standards and risk. Being HITRUST CSF-certified is woven into everything we do. Hear from Dan Kompare, VP of Information Systems at Harmony Healthcare IT, about why this certification is important. And, check out this brief podcast for more about keeping data secure. Security is reported as the most important factor in vendor selection. In a survey of hospital CIOs, 100 percent of respondents listed security as important or very important. In that same survey, 81 percent of CIOs reported that security vulnerability is the leading pain point driving legacy data management decisions. Here are 10 Security Questions to Ask Your Archive Vendor. Looking ahead: Be prepared on all fronts. Cyber attacks are not slowing down or going away. Industry experts predict a 25.7 percent likelihood that another massive healthcare breach like the 2015 Anthem Blue Cross attack that affected 78.8 million people is likely within the next three years. That attack was caused when an Anthem employee opened a phishing email that infected the employee’s computer with malicious files and allowed the attacker to access 90 different systems, eventually reaching Anthem’s data warehouse. Having a solid plan for risk mitigation across current and legacy data systems can help overcome the chronic security issues that have become too common in healthcare. It’s time to get the right people and partners together to move forward with a strong plan and tools. We maintain a security-minded culture and are transparent with our program and policies to help you understand how products and data within our HealthData PlatformTM are managed. Are you fortifying your security plan, increasing employee security training efforts, and consolidate legacy data silos? Let’s Connect.