As you may recall from a previous HIPAAgps post, ransomware attacks can devastate a health care company’s reputation and finances.
You may not think that this applies to you because your company has a seemingly impenetrable firewall, but these computer bugs infiltrate networks in a cunning way. How do these hackers surpass your company’s firewall and compromise your online network?
The answer is simple, phishing. Merriam-Webster defines phishing as, “a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly.” An investigation by Verizon found that phishing represented 93% of all data breaches. Phishing is implemented to trick the receiver of the phish into thinking that the correspondence is legitimate. Over the years, phishing has become the preferred method for hackers to obtain access to health care organization’s networks to steal valuable medical data and to deploy ransomware.
There are three ways that these phishing schemes can enter your company’s online system. (Refer back to our February 2018 Newsletter for the full guide)
- It usually tells the employee that his or her password has expired, and then it includes a link for the employee to update the information such as usernames and passwords. This phony link then captures the username and password.
- It can come in the form of an email that contains an attachment with malicious software. When the unsuspecting recipient opens the email, the malicious software may capture information, called key-logging. This software then reports back to the attacker with the victim inadvertently exposing their network to outside threats.
- The last form of phishing incorporates the dreaded ransomware. Once the attacker’s malicious software encrypts the computer files, it notifies the victim that they must pay a ransom to gain access once again.
This way of gaining access to an organization all relies on human error; a cybercriminal only requires one victim to fall prey to the phishing attack to obtain access to an organization’s data. These viruses can go unnoticed for months while they continue to garner information from the compromised company. The aftermath of a phish scam can cause the health care facility to lose patients, money, and time – anywhere from 4 hours to a full day of downtime.
The issue with email is that it essentially provides keys to the online door of the organization to every employee. Although this remains true for most any company or organization, hacking is especially prevalent in the health care field. Data from Wombat Security’s learning management system found that, “the healthcare industry is one of the worst when it comes to data security knowledge, answering 23 percent of IT security best practice questions wrong on average.”
The best thing that any company can do to reduce and even prevent these intrusions is to be as vigilant as possible. There are a few safeguards to implement to be sure that you and your team are as secure as you can be.
- Since the phish is only able to work when a person allows it access, you need get your employees adequate IT training.
- Employ the use of an email security software that is designed to identify “fishy” emails (both their content and their sender address).
- If an email looks to be suspicious but passed through the software, then make sure that your employees know to forward it on to a member of your IT team before doing anything with it.
To learn more about how your company can protect against phishing and other cyber scams, join HIPAAgps today.