In the past few months, the employees of several high-profile healthcare organizations were successfully phished, resulting in damaging cyberattacks and data breaches.
The aftermath continues, but we’ve seen it all before. Civil lawsuits and HIPAA fines are likely to follow in the coming months and years.
Here are highlights from some of these recent attacks:
- In March, the Oregon Department of Human Services issued a breached notification after a phishing campaign targeting employees resulted in the exposure of 645,000 patient records
- In May, several employees fell victim to a phishing email campaign at Presbyterian Healthcare Services in New Mexico, exposing sensitive data of 183,000 patients
- In June, an employee of Grays Harbor Community Hospital in Washington state clicked on a malicious email link, triggering a ransomware infection that locked patient files, with hackers demanding $1 million to unlock them.
These are not isolated incidents. Recently, we conducted a survey of hundreds of IT professionals working in healthcare, and we found that end-users are one of the biggest threats to healthcare security.
Diagnosis: Employees Are Vulnerable
The vast majority of the organizations in our study identified phishing scams as the leading threat they face. Phishing, in fact, far surpassed malware attacks and other threats.
Additionally, 45% of the respondents indicated low confidence in having effective monitoring and defenses against phishing. Of four categories, phishing had the lowest confidence rating.
Many ransomware and malware attacks start with phishing, and for good reason: Exploiting human vulnerabilities is highly effective. The threat is growing because scammers hone their techniques all the time. So today’s phishing emails often look so authentic that even well-trained users have difficulty spotting a scam.
All it takes is one wrong click — and you can be the next hospital or medical practice in the headlines.
The Cure? Protect Your Data Holistically
Our study underscored the need for holistic cybersecurity defenses that include a focus on people. Unfortunately, organizations often allocate most of their resources to technology and tools. Without training and monitoring for employee vulnerabilities, however, you’re still leaving your data and other assets exposed.
Tools are important. But a successful strategy needs more than that — you can’t maintain a consistent approach without processes and without making people part of your approach.
Prescription: Strengthen Your Human Defenses
Our survey showed that end-user security training is the biggest challenge in monitoring and maintaining a strong security posture. Many of those surveyed planned to make training a priority in the upcoming months.
And end-user education is a good start. You need to educate all employees — from physicians and nurses to your support staff and executives — about the threats and what they can do to protect ePHI. But don’t stop there.
A focus on people also means having highly skilled security experts who can manage risk and respond to threats. Just as your end users are critical to a strong security posture, so is your security team, whether it’s in-house or outsourced.
For more insights into what’s keeping healthcare IT pros up at night and what best practices you need to implement, download our healthcare trends report.