Phishing attacks can result in ransomware or other types of malware. Read on to learn what healthcare cybersecurity teams can do to protect their organization and patient information.
The human element of cyberattacks
Humans are often the weakest link in the cybersecurity chain, with curiosity or inattention taking the place of vigilance and caution in the face of an ever-increasing number of social engineering attacks, including:
- Phishing (email)
- Voicemail phishing (vishing)
- Texts (smishing)
- Fraudulent websites (pharming)
The dramatic increase in these type of social engineering attacks serve as a stark reminder that organizations must proactively monitor both their IT networks and their personnel.
Emerging vishing threats
Vishing attacks were first reported in December 2019 and have proliferated in number, type and complexity since then. The latest threat combines phishing with pharming, calling workers and coercing them to log into a fraudulent website so criminals can capture usernames and passwords.
Other vishing threats include a massive mining campaign to gather login credentials for later attacks and exploiting legacy voicemail technology to ensnare remote healthcare workers.
Hackers are also leveraging workplace collaboration tools such as Slack, Discord, and Microsoft Teams that exploded in popularity when the pandemic sent office workers home.
Since collaboration platforms are a trusted part of an IT network, successful hacks thereof can bypass perimeter security protections to deliver malware or exploit legitimate application programing interfaces (APIs) to establish command-and control protocols used to export data from target networks.
Organizations should also be on the lookout for fake social media pages, as Johns Hopkins found out recently. A Facebook page, supposedly from the health system, was created in November 2020, with four of the 10 initial posts aimed at employee recruitment.
Despite the recent page creation and questionable spelling, including misspelling the health system’s name, several people responded to the page, which was traced to a cryptocurrency exchange website in Nigeria.
Third-party risk reduction
Although technology upgrades, proactive maintenance and constant monitoring of IT infrastructure can help keep healthcare providers safe from cyberattacks, employee security and awareness training is just as crucial to continually reinforce company policies and make the organizations aware of the threat landscape.
This type of training and awareness must extend past your own organization and into the third-party organizations that healthcare organizations leverage to conduct business and provide services.
No matter how well educated your employee base is on security and the associated threats, it is all for naught if you leverage a third-party vendor doesn’t adhere to security fundamentals, which includes an effective security and awareness training program for its users.
For greater insight into how to cultivate and maintain a strong, cyber aware culture, watch our free, on-demand webinar, The Art & Science Behind a Strong Cybersecurity Culture.
