Posted by: Heather Shy on April 5, 2019 at 9:00 am
A recent study showed that health care employees clicked on phishing emails 16.7% of the time. That may not sound like a high percentage.
Consider this, however: Cyber attacks against hospitals, clinics, and even small medical practices are on the rise. While some criminals are looking for medical records that they can resell on the dark web, some are out to disrupt medical services, even putting lives at risk.
Thankfully, the emails in the study mentioned above weren’t “real” phishing emails, but part of testing and training for health care facilities.
Some may ask, however, if only about 1 in 7 simulated phishing emails were clicked on by healthcare employees, why should medical practices worry about cybersecurity?
Why Health Care Practices Need to Worry About Phishing Emails
Think about the human body. Each organ connects to the next, and to the next after that. Which means that an infection or injury to one can ultimately affect all.
Similarly, every part of your medical office network connects to another. Do you or your staff use personal cell phones to access your electronic records? What about tablets or portable computers used in the office? Do your patients’ monitors send information directly to their records, or perhaps elsewhere? How do you receive your clinical and lab reports?
All of these devices and records, and the servers that house them, are connected. A threat to one threatens all. Quoting from the study: “It only takes one successful phishing email, sent to one user, to shut down a critical system, potentially disrupting care across an entire organization.”
One key tactic that health care providers need to be aware of is “spoofing.” This is making an email appear to come from a trusted individual or organization. Most employees will click on and comply with an emailed request that appears to come from their “boss.”
Another risk area is new staff. Do you provide at least minimal cybersecurity training for your staff? While this may sound technical, it doesn’t have to be. Many risks can be reduced with policies about transferring patient information (and/or PHI), sharing of passwords, and the like.
How to Reduce the Risks of Phishing Emails
The study report mentioned several ways to reduce the risks of phishing emails to medical offices:
- Firewalls and anti-spam software will block many bulk emails. Some software, such as Microsoft Outlook’s Advanced Threat Protection, will even catch spoofed email addresses. Other software will mark all emails coming from outside the network as “External,” which also cuts down on risk from spoofed address phishing attacks.
- Multi-factor authentication, or MFA, simply sends a unique code to a designated device (like your personal cell phone) after you enter your user name and password on a secured site.
- As mentioned above, training can be as simple as educating new staff on policies regarding information transfer. Other training includes simulated phishing attacks, which sends test emails to your staff to see if they will click on a bad email. If they do, they receive brief educational material to help them learn to resist these lures.
We would add a fourth defense against phishing emails: engaged, responsive IT support. A dedicated IT provider can monitor your systems and shut down triggered attacks before they become entrenched. With the right backups in place, even a compromised system can often be restored with a minimum of damage.
Is your system vulnerable to attack via phishing emails? Call TAZ Networks today, or fill out the form at the right, to schedule a cybersecurity assessment of your computer network.
Photo via Pixabay.