To err is human; to forgive, divine, according to Alexander Pope. But if the English poet was a CIO or CISO for a hospital today, he’d be sorely tested by any employee who falls victim to a phishing attack. Regulations require employee training to prevent phishing attacks, as well as sanction policies for employees who ignore their training, but they continue. According to a HIMSS Analytics 2017 study, email phishing is the most common method to conduct a healthcare cybersecurity attack, with 78 percent of providers reporting a ransomware or malware attack in the last 12 months. A recent IBM security report found that although healthcare ranks as the 5th most hacked industry, with just 29 percent of incidents involving outsiders, close to half of the incidents that did occur were “inadvertent actors”. Most of us call them employees.
How to Overcome Human Error in Cybersecurity
Healthcare is taking steps to address the role of human error, including beefed up security awareness training for all employees. But high turnover, together with a shift-based, 24/7 workforce, make it difficult to achieve system-wide alignment on security policy. Here are a few guidelines to help reduce vulnerabilities and mitigate the impact of human error.
A Thorough Security Analysis
You don’t know how bad a problem is until you have visibility into it. Hospitals and health systems who perform security assessments that include social engineering tests for employees fare much better in the long run than organizations who are just trying to check a compliance box.
A Clearly Established Data Security Policy
Every organization needs security policies and procedures to clearly outline how social engineering threats are being addressed. It should be clearly communicated in the on-boarding process for every new employee, along with periodic evaluations for all existing staff. The policy should outline acceptable use of IT assets, and include sanctions for failure.
Least privilege access should be at the heart of an effective security policy. This concept of limited user profile privileges on computers, based solely on what a users’ job necessitates, curtails the impact of phishing attacks and other attempts to compromise an organization’s cybersecurity defenses.
In addition, Data Loss Prevention and Security Information and Event Management are often recommended technical controls to fill identified gaps in protection. DLP determines how all data is moving across the network, detects security gaps, and stops information from leaving the network. By disallowing movement of sensitive data, DLP helps protect users from themselves. SIEM allows for continuous monitoring of threats to patient information safety as well as overall operational security.
Simulated Phishing Attacks
Simulated phishing attacks, either to trick the user into revealing sensitive information or to download malware, helps employees recognize the most common threat and build a stronger security-first culture. In an analysis of phishing attempts, research firm MediaPro found 18 percent of those surveyed mistakenly identified phishing emails as legitimate, as against 8 percent of a control group. Doctors were three times more likely to fall prey to the phishing emails than their non-physician counterparts.
Fortified’s simulated phishing attacks, where often 25 percent of employees fall for the initial simulations, provide immediate feedback and built-in training to those who fail, and can follow up with periodic simulations to re-test effectiveness of security awareness training programs.
Stronger Passwords — A Lot Stronger
Data thieves rely on carelessness, and nowhere is this more apparent than passwords. Most users tend to use the same password for all their login information. When Fortified conducts penetration tests to evaluate the strength of password policies, it’s not uncommon to find fully one-third of users have a password that merely includes their name followed by the number 1. Using a favorite sports team isn’t a good idea either. Those that use common words like “Eagles” or “Cubs” are too easy to crack.
Resist Automatic Responses Triggered by Social Engineering
While humans are conditioned to be helpful and polite in the workplace, it works against cybersecurity efforts. During assessments, I’ve walked through sensitive areas in a hospital without proper identification, or called the organization’s help desk to get a user’s password re-set with no questions asked. I’ve also entered Human Resources and received an RFID-enabled badge upon request —all without anyone asking if I’m authorized to have the badge.
Employee training is required to counter these social engineering responses. The right training, in combination with periodic reminders, delivers a security-first culture where employees become an extension of the security team. Employees need to take data protection seriously and feel empowered to respond if they feel something is amiss.
Encourage Responsible Sharing on Social Media
Most security professionals wish social media didn’t exist. But it’s here to stay, and employees are going to use it at work. Employees will always find a way to circumvent the technical controls put in place that prevent using social media in the workplace. Hospitals and health systems should caution staff never to post their birthday, vacation plans, or an address or phone number publicly on social media. It’s the kind of personal data that’s ripe for use in a phishing attack. According to KnowBe4, a Fortified partner and cybersecurity awareness training platform, more than half of users in simulated phishing attacks fell for bogus LinkedIn requests.
Effective cybersecurity balances an organization’s need for convenience and data flow with an equally powerful requirement to keep data out of the hands of those who shouldn’t have it. As long as humans are at the center of moving data through an organization, mistakes will inevitably be made. The guidelines above help you raise your organization’s security posture and be prepared for the next security challenge.
Ready to learn more? Contact us for more information.