Like most criminals, the shady characters who are out to steal your data will be much more likely to succeed if they have an accomplice on the inside. Unfortunately, there’s a good chance they’ll find more than a few accomplices on your staff.
Of course, the employee who ultimately opens the safe and green-lights the thieves probably won’t do it deliberately. He or she probably won’t realize how it happened, but the damage will be just as complete as if the employee were in on the caper.
To the would-be data thief, healthcare is fertile territory. Policies are often lax or loosely enforced. Employees are often overconfident and/or naive. And the number of entry points that can lead to breaches is disconcertingly high.
One survey found that healthcare ranked 15th of 18 industries in regard to the security risk known as “social engineering” — the buzz phrase describing vulnerability to schemes that manipulate employees into divulging confidential or personal information. The survey “show[s] that security awareness and employee training are likely not sufficient,” says Alex Heid, Chief Research Officer at SecurityScorecard, which monitors security risks. “Security is only as strong as the weakest link,” he adds.
Epidemic of infections
Those weak links — unwitting employees — have played a part in 52% of all data breaches, a CompTIA study finds. And the relative ease with which nefarious actors have managed to hack healthcare facilities has reduced the unscathed to a small minority. According to the 2016 Healthcare Industry Cybersecurity Report, more than 75% of the entire healthcare industry had been infected with malware during the previous year.
How do unwitting employees get taken for a ride? Here are just some of the ways:
- Phishing (or spear-phishing) scams. Phishing attacks are increasing and evolving. In 2016, one of every 131 emails contained malware. Some are obvious. Some are less so. Either way, once a targeted recipient takes the bait and opens a malicious attachment, malware installs on the system and the attacker can begin to move toward his objective. “Employees are often the lowest-hanging fruit when it comes to phishing, spear-phishing and other social-engineering attacks,” says Mr. Heid. “For a hacker, it only takes one piece of information … to exploit an employee into divulging sensitive information, or to provide an access point into that organization’s network.”
- Personal devices. Smartphones, laptops and USB drives can be security nightmares. People visit questionable sites, download unverified applications and fail to lock their devices with passwords. If they then shift into work mode, they can expose their employers to the malware or spyware they’ve unknowingly brought with them.
- Weak Passwords. Believe it or not, a 2016 study of 10-million passwords found that one in six people were using “123456.” Worse yet, the list of the top 25 most popular passwords, which accounted for more than half of all passwords overall, included such ridiculously easy-to-crack variations as “111111,” “password,” and “654321.”
- Questionable browsing. Websites that let users download movies or music are especially risky, say experts. As are (and should probably go without saying) adult websites.
- Social media. Cyber-attackers are on the lookout for information they can use to help launch phishing attacks — a photo of an office setting or excessive information about one’s job, for example. Harmful links and downloads abound on social media, as well.
- Unsecured wireless connections. Most people either don’t know or underestimate the dangers involved in using public Wi-Fi. A recent survey found that 87% of American consumers had used it at one time or another, and more than 60% assumed it was safe.
- Free software. Conscientious employees may be tempted by programs that provide simple services, such as converting word files into PDFs, for free. But a free program may be more likely to contain malicious code.
Don’t just educate
Many facilities are recognizing how vulnerable they are, and wisely employing technology to protect coveted data. But unless they make sure employees clearly understand the dos, the don’ts and the dangers surrounding data security, thieves will continue to see healthcare as an easy and profitable mark.
How can you beef up your defenses where employees are concerned? Ongoing education and training are essential, but don’t settle for a classroom Q&A, says security expert Marc van Zadelhoff, writing for the Harvard Business Review: “User awareness programs are the key to educating insiders. Train your people, test them, and then try to trick them with fake exercises.”
Doing so requires work and perseverance, he says, but the extra effort will have a disproportionate positive impact on the safety of your data.