Cybersecurity Awareness Training

Phishing is, by definition, an attempt to get sensitive information (such as passwords and credit cards) from someone through email or chat. It is considered one of the most common strategies in a social engineering attack. One report found that 72% of organizations experienced downtime due to phishing using email-based cyber attack strategies.

Phishing attacks are often successful because hackers are becoming increasingly better at creating convincing fakes. They can replicate communications to appear very credible, resulting in the end-user believing it’s legitimate. It happens all too often. In fact, according to a 2018 article published in Reliable IT MSP, an alarming 88% of healthcare workers opened phishing emails. This seemingly simple and innocent action could result in a devastating cost to a mid-sized healthcare organization. Further studies also highlight the vulnerability of organizations in phishing attacks. The findings of a survey published in the KnowBe4 2021 State of Privacy and Security Awareness Report offered up this surprising stat, “out of all industry sectors, healthcare employees were the least aware of social engineering threats such as phishing and business email compromise (BEC), with only 16% of healthcare employees saying they understood those threats very well.”

These statistics reiterate just how crucial end-user awareness and education are in cyberattack prevention. Some tell-tale signs to focus on in phishing education training include emails containing links with a string of random numbers and letters, communications with a sense of urgency, or seemingly odd requests for information containing suspicious attachments. Intuition can play a big part in prevention. If something doesn’t feel right, question it.

An important piece of any cyber security prevention method is secure passwords. They are the gatekeeper to the IT infrastructures that contain the most sensitive and protected health information (PHI). There is a general list of best practices that end-users should employ when dealing with passwords.

• Passwords should be unique to each application, website, or online account. No two passwords should be the same for users with privileges to multiple IT platforms.
• Passwords should be at the very least eight characters long and contain letters, numbers, and special characters.
• Passwords are the strongest when they are randomly generated.
• Passwords should never contain any personally identifying information such as names, birthdates, or social security numbers.
• Passwords should be changed every six months, if not sooner.
• Use multi-factor authentication (MFA) when available to reduce the impact of a compromised password.

These best practices must be implemented by employees and required to maintain regular access to the data they need to perform their job functions. On the same note, management must implement a plan to ensure that employees are adhering to, and executing these practices regularly.

In this modern world of healthcare, every employee has a certain degree of access to IT systems within the organization. While privileges to protected health information vary depending on the position, being online is a large part of any job in healthcare, from administration to hands-on medical care. Because of this, cybersecurity is crucial. That is why practicing good internet safety needs to be a core part of the cyber user training program you employ.

Some important focal points of your program should include the following:

• Awareness in recognizing suspicious domains. Often, domain names will be one letter, number, or character off from a reputable site.
• Ability to recognize a secure connection vs an insecure connection and what to do if they come across suspicious activity or have questions.
• Beware of downloading untrusted or unauthorized software and entering protected credentials into these programs.