The need to protect PHI and other sensitive information has becoming increasingly complicated as technology continues to rapidly change and develop, leaving behind notions that we once thought were a solid understanding of how things work. For our frontline healthcare workers who are already so consumed with having to understand the intricacies of the human body and how to keep us in prime healthy conditions, how can we expect for them to keep up with incredibly complex networks, data exchanges, cloud services, Internet of Things, and all of the cybersecurity challenges that come along with them?
The truth is: we can’t.
Just as we as cybersecurity professionals could never understand all of the human sciences without all of the rigorous schooling that these healthcare workers have gone through, we cannot expect them to have the same level of understanding that our intensive technology training has given us. What we can do though, is prepare them for threats that we know they will come across on a regular basis, and train them to respond to these threats and act as our first line of defense against cyber intrusions.
Verizon’s 2018 Data Breach Investigations Report “Healthcare is the only industry where the threat from inside is greater than that from outside. Human error is a major contributor to those stats.”
How to prevent costly and dangerous cyberattacks, Medscape “Many physicians, providers, and employees unknowingly engage in risky behavior on their home and work computers.”
Just because we can’t expect them to know everything doesn’t mean that we can’t prepare our healthcare professionals to face off against some of the most common cyber threats that they will tackle in their day-to-day lives at work and at home. Below are some recommendations for some topics that we at the MI|HSOC see as areas of training that should be hammered in based on the risks and threats we see to our frontline workers.
1. Phishing – Seriously, we can’t hit this one hard enough. The amount of phishing emails we see going to our end users that carry all types of malicious payloads is astounding. Our users need to be aware of everything surrounding this. This includes, but is not limited to:
Suspicious URLs or domain names
Unsolicited emails requesting personal information
Offers that seem too good to be true
Emails containing odd messaging
Requests for money or gift cards
2. Malicious Payloads – This one ties a bit into phishing but should be drilled down a bit more. User’s need to understand the difference between these threats and how they can accidently become victim to one of them.
Credential Harvest Phishing
Trojans / RATs
Ransomware
Spyware / Adware
3. Protecting Their Accounts – Too many times users have had their accounts stolen and misused, whether a personal or work account. They need to be taught safeguards for preventing this.
Teach them about simple vs complex passwords
Using different passwords
Multifactor authentication
Storing and using passwords safely
References: https://enterprise.verizon.com/resources/reports/dbir/
https://www.medscape.com/viewarticle/878592_3
Comments