IT Forefront

Go phish: How to build a human firewall to protect against phishing

by Ernie Hood and Allyson Vicars

In health care, we've seen a huge spike in social engineering style cyberattacks, most particularly in phishing—in which hackers send an email disguised as a trustworthy entity to induce individuals to reveal information such as login credentials or sensitive data for malicious purposes.

A Bitglass study of HHS's Wall of Shame—where the department publishes all breaches that affect 500 or more patients—found that 68% of the records breached in 2014 resulted from a lost or stolen laptop, but in 2016, a staggering 98% of records compromised were due to hacks.

Phishing is now a top security threat for health care organizations (HCOs) because it has proven to be one of the easiest ways hackers can steal patients' medical identity and protected health information (PHI). Within most HCOs, security prevention and funding efforts lag, contributing to a lack of strong and effective security controls. A 2016 SANS Institute IT Security Spending Trends report revealed that while organizations in the financial services sector tend to spend over 10% of their IT budgets on security efforts, health care spending in this area is only 4% to 6% on average. There's also a culture of openness and helpfulness in health care in which staff are highly motivated to help others; this has its benefits, but it also makes it easy for a scammer to trick and take advantage.

A variety of technologies can help reduce the risk of a successful phishing attack, such as antivirus software, email filters, blacklisting and whitelisting sites, but technology alone is not enough. To protect your organization from phishing, you need assurance that the end user can make sound decisions in how they navigate the internet and their email. HCOs must build up a human firewall as their last line of defense. Here are three key ways to do so:

  1. Train all staff on cyber awareness often (more than once a year) and ensure it is relevant by providing regular updates on the latest phishing techniques. Don't just rely on bulletin boards and memos. Implement phishing campaigns as a way to internally test staff against the latest scam tactics.

  2. Conduct special training on phishing for senior leadership and finance staff. Staff that handle and have access to the most sensitive, valuable information should have personalized training that targets their roles specifically.

  3. Train staff on what to do as soon as they realize they've fallen for a phish (e.g., isolate and escalate). Some organizations instruct their employees to immediately disconnect and unplug their workstation or device.

HCOs that approach training as a continuous process are ahead in their defense against phishing. Test employees periodically to determine if their anti-phishing training has been effective. Prioritize and focus training on higher risks, personalize training based on staff roles, and leverage multiple communication channels, not just email. To help find real examples that will resonate with staff, several universities have created online libraries of phishing and social engineering ploys that can be useful for training purposes—explore Lehigh University's Recent Phishing Examples library here.

HCOs must bring all efforts together—technology, training, and testing—in order to properly build up and ready a human firewall that protects their organization from phishing attacks.

Next, learn six steps for responding to ransomware attacks

With cybersecurity threats on the rise, gone are the days when a lost laptop was the biggest security concern. In the past two years, 90% of HCOs have experienced a breach involving the loss or theft of patient data.

Now, more than ever, it is critical to ensure your organization has a proper response plan in place for cybersecurity incidents. This guide breaks down SANS Institute’s PICERL approach, covering the six steps your organization can take to ready for and respond to a ransomware attack.

Download Now