There’s no denying the dire security situation healthcare organizations are currently facing. However, so much of what you read online or see in the news revolves around specific malware threats or ransomware attacks. What is often missed is the underlying problem—the human factor.
A recent Verizon cyber security report found that human error is a leading cause of cyber attacks across all industries. The healthcare industry especially must find new ways of addressing human error to avoid falling victim to the same attacks that have plagued organizations for years.
The Different Layers of Human Error in Healthcare
Human error is a broad category that is used to encompass a variety of different vulnerabilities that originate with individual employees.
Verizon’s research found that for the healthcare industry, human error boils down to three main issues—insider privilege misuse, inattentive employees, and physical loss/theft. Losing track of physical devices gives attackers the easiest entry point into healthcare organizations, but the other two forms of human error present a more challenging problem.
Privilege misuse and inattentiveness lead to greater vulnerability to phishing attacks. Even as attackers developed more than 220,000 new pieces of malware daily in 1Q 2016, the most sophisticated malware is useless without the initial human compromise.
The healthcare industry faces a constant battle against phishing attacks as more attackers try to access valuable protected health information (PHI) every day for nefarious purposes.
The Current State of Phishing Attacks
The first step in mitigating the potential for human error in cyber security is to understand the phishing attacks that compromise your employees in the first place. According to a recent study from the Anti-Phishing Working Group (APWG), there was a 20% increase in the number of known phishing websites between October 2015 and March 2016. Worse yet, these websites are being used to launch increasingly dangerous threats.
There are many different types of phishing schemes, but here are a few that anyone should be familiar with—security professional or otherwise:
- Basic Mass-Email Campaigns: At the lowest level, attackers can send out mass emails with deceptive messages that trick users into clicking malicious links. Links are directed to seemingly legitimate sites where users type their credentials in and attackers collect them.
- Malware Loading: This type of attack can also be launched through mass emails. However, malicious links and attachments are configured in such a way that users who click on them automatically download a piece of malware onto their machines. Similarly, an advanced keylogger can be deployed in this way to track specific activities.
- Targeted Spear-Phishing: Rather than launching a mass-email campaign, attackers can pick a certain vulnerable or high-profile employee at your organization and tailor a phishing email just for them.
Regardless of the specific type of phishing scheme, Verizon found that users across all industries open malicious emails approximately 30% of the time. Unfortunately, it only takes one of your employees to open one of these emails to compromise your whole network.
If your employees are willingly (but unknowingly) giving attackers access to your electronic health record systems, there aren’t many cyber security solutions that can help you. This is why you have to mitigate human error at the source.
How to Address Cyber Security Human Error to Avoid Costly Attacks
It seems like cyber security experts have been talking about the same need for employee training for years. However, Patricia Skarulis, Senior Vice President and Chief Information Officer at Memorial Sloan Kettering Cancer Center, has some recent advice for healthcare companies looking to address human error:
- Internal Phishing Attack Tests: Skarulis believes healthcare companies should intermittently test their employees with fake phishing attacks. These tests would offer insight into your staff’s ability to spot a malicious email.
- Online Course Training: You could set up your internal testing to direct employees to online courses that address the specific attack they fell victim to.
- Technical Preparation: Training is of the utmost importance, but that doesn’t mean there aren’t any technical solutions to phishing schemes. Two-factor authentication and abundant malware detection/prevention tools can help you ward off potential threats—even when your employees make an inevitable mistake.
Ongoing employee training should be top-of-mind for any security leader, but you can’t entirely rely on this for protecting your electronic health records. Attacks happen fast (just look at what happened at the Wyoming Medical Center, where human error allowed attackers to access more than 3,000 records in just 15 minutes). Having the right in-line security appliances and out-of-band monitoring tools in place is equally necessary.
Healthcare organizations need to keep up with the evolving cyber security landscape—but that means deploying a complex stack of appliances and software solutions.