How regular phishing drills keep providers’ data safe

Healthcare organizations should look for incremental reduction of risks by making use of phishing education campaigns, says Kate Borten.

This is especially important because front-line workers play such a large role in data security, and hackers have become very sophisticated in their ability to fool individuals into clicking on a malware-infested email—even if an individual is watching out for such emails, says Borten, president at the Marblehead Group, a security consultancy.

The training needs to incorporate different examples of phishing lures, Borten advises.

“You need to regularly conduct phishing exercises which become part of the security toolkit and provide feedback on how well employees did,” she says. “Do the education, and then phish your employees and see what proportion fell for a phish, and keep phishing them and watch the numbers go down until most are not being phished.”

Also See: Phishing attack risks data of 30,000 patients of Mississippi facility

The reality is that most providers don’t conduct an adequate risk assessment, but for those who do the assessments, there comes a time when the risk of phishing becomes tolerable because the organization is ready and employees—which should include all senior leaders as well—are no longer easily fooled.

Still, for some providers, a certain laxity remains if the organization is not updating device configurations, which opens a point of entry for hackers.

“You need to have a standard secured configuration enterprisewide,” Borten says. “You need to have settings placed on a new server or other devices. You need to check if active accounts are left open and if active passwords are open. Any time you are configuring a device, you better be using a standard secured configuration.”