In case you weren’t aware, October is National Cybersecurity Awareness Month. For those in the healthcare industry, unfortunately, cybersecurity awareness is something many are still lacking. According to a report from Hervajec Group, the healthcare industry is expected to spend $65 billion on cybersecurity from 2017 to 2021. All that money being spent, and yet healthcare remains one of the most frequently targeted and worst performing sectors when it comes to cyberattacks and data breaches. Why is that? Well, it is likely because while so much of that money is being spent on technology (antivirus software, firewalls, etc.), not enough time and money is being invested in the training of people.
This is something we have discussed before many times—check out this blog—that irresponsible and/or careless human behavior is the single most common and dangerous threat to an organization’s data security. The sad truth is that this sort of behavior is usually unintentional. Instead, it is often the result of ignorance and a lack of proper cybersecurity training. Don’t believe me?
According to a report from cybersecurity firm Kaspersky Labs, only 29 percent (that’s less than a third) of healthcare workers were able to identify the correct meaning of the HIPAA Security Rule. It also found that 40 percent of respondents were not at all aware of cybersecurity measures in place at their organizations to protect IT devices (laptops, tablets, smartphones, etc.). Perhaps the scariest part? The study found that 1 in 4 healthcare workers never received any cybersecurity training, of any kind, from their employers.
On the surface, 1 in 4 might not seem like a very scary number. After all, that’s only 25 percent of healthcare workers, right? Well, that would mean you're assuming cybercriminals need everyone to fall for their tricks. They don’t. In fact, they just need one person, just a single untrained person, to carelessly click a link or download an attachment. When you look at it this way, those are some pretty nice odds for cybercriminals.
Here’s another way to look at it. Let’s say I’m a cybercriminal and I have purchased a list of 1,000 email addresses that belong to healthcare workers. If I email out ransomware-loaded links/attachments to everyone on that list, there is a pretty good chance that as many as 250 might be poorly trained enough to click/download it. But, as a cybercriminal, I don’t even need 250 of them to do that… I just need one, just one person out of those 250 untrained individuals. When you look at the numbers this way, you realize that even a number as low as 25 percent actually translates into nearly a 100 percent chance of successful infiltration for any cybercriminal.
Practices Need Training for These Top 5 Cybersecurity Threats
Whether you choose to hire a professional cybersecurity consultant to conduct formal training of all your practice staff (which is nice, but not always necessary) or if you research and create your own in-house cybersecurity training program, here are the top five threats you need to be training yourself and your staff on:
- Phishing/Spear-Phishing – No matter how scary a ransomware or malware might be, it is nothing without a delivery system that allows it to infect networks. Phishing and spear-phishing emails have become the go-to delivery method these days. For more info, check out our past blog here.
- Social Engineering – You might say that social engineering is the “hacking of humans,” as it uses human behavior as a tool of manipulation to infiltrate organizations (and then their networks) and trick people into ignoring or breaking standard security procedures. For more info on how to identify and avoid social engineering ploys, check out our past blog here.
- Ransomware – We’ve already talked a lot about ransomware in several articles on this blog. For specifics on dealing with it, however, we recommend reading the following blog article.
- Data Leaks/HIPAA Violations – Every single member of your practice should know the HIPAA Security Rule, inside and out. Regular training and refreshers on this should be done at least twice a year, if not every quarter, to ensure everyone knows what is required of them.
- Insider Threats – Whether intentional or accidental, insider threats refer to the destructive actions of employees, contractors, etc. that lead to data breaches and/or HIPAA violations, and they pose huge risks to any healthcare organization. For details on what kinds of threats to be on the lookout for, check out this past blog.
As we near the end of National Cybersecurity Awareness Month, now is the perfect time to make sure everyone in your practice has the training, tools and knowledge they need to identify and avoid these cybersecurity threats. Remember… to succeed in taking over your entire network, a cybercriminal only needs one person in your practice to click on a ransomware-loaded link. So, a little training now could save you from serious headaches later on down the road.
To learn more about how Nextech can help your practice's security success, simply fill out this form and a member of our team will be in touch soon!