One click of a button could land your organization with a major HIPAA compliance breach. See what all can go wrong if one of your employees clicks on a malicious email link.

HIPAA complianceOftentimes, health care entities incorrectly assume that their employees know how to recognize malicious cybersecurity attacks, so they skip over security awareness training; that is, until they experience a major breach and are fined thousands of dollars. Don’t make that mistake, learn from a recent cybersecurity test that revealed what all can happen when a malicious email link is clicked on.

Recently, MainNerve, a cybersecurity firm, took a deeper look into a malicious email to see what would actually happen if a link was clicked by an employee. It is important to note that MainNerve’s cybersecurity team consists of technical experts with experience and the necessary tools to test malicious code without affecting their systems, so don’t try this at home.

By using a sandbox environment, MainNerve determined that a specific link in an email would prompt for a download of a Word document. If this was a real situation, the employee should have immediately recognized that something was wrong; a link should take you to a website, not a file download, unless it specifies otherwise, and you shouldn’t open it even then unless you trust the sender. Security training would have equipped the employee to recognize this issue.

In the test, the sandbox environment allowed MainNerve to contain the malicious link so it couldn’t actually affect the computer. But, in a real situation, several issues would soon follow that employee’s mistaken click of the button.

Using another tool, MainNerve then determined that with that Word document download, a background process was executed, injecting malicious code into the computer to establish a presence on the system. It would then call out to a known botnet command and control and send out web browsing history. A botnet is “a network of computers that have been linked together by malware.”

Web browsing history can be extremely useful to a hacker, especially if an employee has visited a site where credentials were used to access the site such as Amazon or an online email service.

The malicious code would also attempt to harvest credentials from a local FTP client, meaning it could potentially capture files and send the information out to a third party. With health care, that could mean sending patients’ Protected Health Information (PHI) to an unknown person, causing a serious breach.

Finally, the malicious code could continue connecting with other botnet control points, trying to spread more malware and possibly sending out more information.

Sometimes seeing what something can do can impress upon employers and employees why security awareness training is so important, especially when it comes to HIPAA compliance. When you are not well informed and trained, it’s very easy to make one little mistake that could cost your organization thousands to hundreds of thousands of dollars.

To help your employees in their security awareness training for HIPAA compliance, start your seven day trial today with HIPAAgps.