Healthcare workers still a weak link in cyber defense plans

Hackers are increasingly focusing attention on the people working at healthcare organizations, not worrying about the technical defenses that providers, payers and others have erected.

“Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain and our time constraints,” according to new report from Proofpoint, a security awareness training firm that based results on the five questions it asked 7,000 working adult technology users.

Overall, users were not familiar with common information security terms such as phishing, smishing and vishing, and neither are end users very worried about cyberattacks—many rely on IT personnel to automatically discover and fix accidental downloads of malicious software.

Egan-Gretel.jpg

“The lack of clarity with regard to the role of IT in attack prevention could be giving users a false sense of security and unnecessarily taxing information security resources,” says Gretel Egan, a security awareness and training strategist at Proofpoint.

Phishing is the ability of a hacker to fool someone into clicking on a malware-infested email believed to have come from a trusted source. Smishing involves sending a SMS text message to a mobile phone that has a fraudulent link, paired with a believable notification, such as from a bank that an account is short on funds and a payment needs to be made.

Vishing is voice-based phishing, such as someone posing as the IRS and calling a person and saying there is a problem with their account and the person needs to send money.

Information security teams must understand that the technical terms they use to communicate with end users in healthcare organizations might not be understood, and they need to speak in plain English, Egan warns.

“If the terminology isn’t recognizable to users at a basic level, they are likely to tune out and think the information doesn’t apply to them. If employees don’t understand what you are asking of them, they will not progress in terms of cyber hygiene,” she contends.

Most information security professionals have seen an increase in social engineering attempts in the past year. With so many devices in the work environment now, if healthcare employees and administrators are mostly doing work on a mobile device, they likely are using their device to administer not just their personal accounts but corporate accounts as well, bringing a new level of threat.

If these accounts are compromised, a hacker can take advantage and start draining a healthcare organization’s corporate accounts. “Having a hacker attack a phone can result in bleeding to other personal and corporate accounts, and the corporate computers and company accounts are compromised,” Egan concludes.

The full report is available here.

For reprint and licensing requests for this article, click here.