"If Microsoft calls you and asks for your password … it's not real," said Steve LeBlond, Ochsner Health System's Vice President of Technology and CTO, at our Summit on Digital Health October 3rd. "We [Information Technology] will never ask you to connect."
Steve was talking about phishing attacks, one of the biggest cybersecurity risks that businesses – especially health organizations – are facing today. You would like to believe that you will never fall into a scam like this, but the truth is that fraudulent e-mails, calls and other attempts to penetrate are not always as obvious as the example that he gave. These types of "social engineering" attacks rely on the manipulation of people and are becoming increasingly sophisticated.
How do you avoid social engineering in your healthcare organization?
It starts with a program of continuous and creative education at the system level.
Why "creative"? Well, let's be honest: no one wants to attend a three hour PowerPoint presentation on security. To be effective, your education must be engaging and relevant. Some tips:
Consider playing the security roles that different employees may encounter each day.
Illustrate how a phony request for medical records could unfold.
Recognize that password workarounds are tempting, but dangerous.
Offer tips for working effectively without breaking the safety rules.
Join the growing trend of "penetration testing" – fake phishing emails sent to your own employees to test their knowledge. If they open the link, a page will appear informing them that they have been deceived and that they describe what they should look for next time.
Above all, do not talk to security employees, it will only discourage them. Instead, remind them that they are the guardians of some of the most important information on earth. Help them understand why they are attractive targets for hackers.
Of course, not all education in the world will help if an attack succeeds in passing, so it is also important to have technological defenses in place. For a more in-depth look at cybersecurity for health care organizations, click below to read our white paper.