Organizations everywhere must be aware of the
disturbing trend that happens alongside public health emergencies - the
increased risk of more frequent cyber-attacks! Last year was quite remarkable for the healthcare
industry, between all things centered around COVID-19 and an increase of
cyberattacks occurring. This increase requires healthcare organizations to
increase cybersecurity efforts to prevent a costly breach.
In looking at the U.S. Department of Health and Human Services (HHS) Breach Portal, there were 543 breaches in 2020. 368 of the 543 were a result of Hacking/IT Incidents. Other types of breaches include 115 Unauthorized Access/Disclosures, and 35 Thefts, among others.
In 2022, the frequency of cyberattacks due to Hacking/IT incidents and Unauthorized Access/Disclosures is expected to continue. The majority of healthcare organizations that may be targeted by cybercriminals can expect phishing attacks to make up the majority of cybercrime. To counter this threat, healthcare organizations and their employees must be vigilant.
Five Lessons to Prevent a Phishing Attack and Protect Your Assets
Lesson #1.
Don't Take the Bait!
While this sounds easy enough, you would be surprised how tempting it is for some individuals to click on an enticing email. For example: Learn How We are Preventing COVID19! Click HERE! Sounds interesting enough. What could go wrong? Well, a lot of things could happen with just a click!
We have tested this when analyzing healthcare organizations' cybersecurity posture by setting up a mock phishing campaign and sending an email like this out to all the employees. It's wasn't unusual to see some employees open the email and click the link, while other employees report it, and others delete the email without saying a word. The first step in preventing a phishing and ransomware attack is making sure employees do not take the bait and report suspicious or enticing emails that tempt them to click a link.
Lesson #2.
Closely Examine the "To," "From," and Subject of the Email.
When determining if the email is safe or not, ask yourself the following questions: Did the message come from a sender you actually know? Does something seem "phishy" or "off" about this email? Was the email sent just to you? Does the subject line make sense? Quite often, phishing attempts will include a long sentence that is not related to your normal day-to-day work activities.
Lesson #3.
Never Reply to an Email, Text Message, or Call a Number in a Suspicious Email.
By responding, you confirm to cybercriminals they have active information, which could result in additional attacks. Another risk of responding is that cybercriminals can share your information with other attackers, making you a target for more attacks, such as phishing, ransomware, and malware.
Lesson #4.
Make Sure Your Antivirus / Antimalware Software is Up to Date.
Unless instructed to do so by your security team, never ignore antivirus / antimalware software updates. As cybercriminals evolve and send out more sophisticated attacks, including new viruses, updates contain current information needed to protect your computer or device and combat current threats.
Lesson #5.
Train Employees with Cybersecurity Awareness Training.
Train employees to the confidence and knowledge to recognize if something seems suspicious, it probably is and should be reported. In the healthcare industry, cybersecurity is a responsibility that belongs to all of us. Cybersecurity awareness training is an excellent way to protect protected health information and healthcare organizations' most sensitive information.
About the Author
Chad joined Healthcare Compliance Pros (HCP) in 2014 as the Director of Compliance. Chad's seasoned background includes over 20 years of combined experience in healthcare, information technology, and compliance consulting services. Chad is primarily involved in consulting with healthcare clients about their HIPAA and HIPAA HITECH-related issues, including breach determination, breach mitigation, and corporate OIG and CMS compliance.
Chad is involved in several on-site client audits and helps successfully implement HIPAA regulatory requirements to protect healthcare organizations from serious fines related to audits and breaches. Through his national experience in remediating regulatory issues, Chad possesses a broad knowledge of U.S. state and federal agencies and provides in-depth regulatory support and assistance for all clients.
In addition to working directly with clients related to all compliance matters, Chad is also the main contributor to HCP's weekly healthcare forum, where he shares his expert knowledge related to industry topics, trending compliance news, and new regulatory requirements. Chad is a published author with several advocacy groups, including MGMA, AAOE, RBMA, AOA, PAHCOM, and HBMA.
Chad holds undergraduate degrees in the areas of Medical Specialties and Healthcare Administration, and a master's degree in Healthcare Informatics.