Employees need to be able to quickly and efficiently spot and report suspected social engineering attacks to teams within their organization, allowing them to continue their work with the least amount of disruption.
Another week, another major health sector data breach, and another opportunity to reflect on what medical facilities can do to protect the precious patient information they’re charged with safeguarding.
In the latest incident, Community Health Center, a leading Connecticut healthcare provider, is notifying over 1 million patients of a data breach that impacted their personal and health data.
Just days earlier, it emerged that 190 million Americans were the victims of last year’s Change Healthcare ransomware attack, nearly double the 100 million previously disclosed.
Deeply personal: "The medical industry collects and stores some of the most sensitive information individuals have, including specific medical diagnoses, treatments, medications, and other information that most people don't want in the public eye," says Erich Kron, Security Awareness Advocate at cybersecurity vendor KnowBe4. "Unfortunately, these medical facilities are targeted consistently and seem to be struggling to defend themselves."
A people problem: For a long time, the healthcare industry has struggled with balancing costs and expenses, while hiring enough employees to ensure high levels of service to their patients.
"The most common way for bad actors to spread ransomware, or make initial network intrusions successful, is by targeting the employees within these organizations," says Kron. "Unfortunately, many healthcare organizations remain understaffed, and their staff can be overworked, leading to errors and mistakes simply through fatigue and ongoing stress, adding to the risk of an incident."
For organizations in these industries, it is critical that the human risk is addressed in their cybersecurity plans, and that employees are given the education, tools, and resources they need to defend themselves against bad actors.
Training and resources: A human problem requires a human solution, Kron says. "For organizations in these industries, it is critical that the human risk is addressed in their cybersecurity plans, and that employees are given the education, tools, and resources they need to defend themselves against bad actors. "Employees need to be able to quickly and efficiently spot and report suspected social engineering attacks to teams within their organization, allowing them to continue their work with the least amount of disruption."
Best practice: Other vital steps recommended by authorities for critical infrastructure providers like healthcare orgs to take include:
- Install updates for operating systems, software, and firmware as soon as they are released.
- Require phishing-resistant MFA for as many services as possible.
"This industry [healthcare] has proven to be a significant challenge when it comes to securing information, but clearly, we must focus on improving the protection of this sensitive patient information," says Kron.
