High-profile cybersecurity disasters targeting healthcare facilities and operations, such as the ransomware attack on Hollywood Presbyterian Medical Center and the computer virus that shut down significant parts of MedStar Health’s IT operation, have highlighted the need for improved information security at healthcare facilities. If you find yourself fearing these same type of attacks, it is important to address the weakest point in the security chain – human error.
These three steps will help you to begin defending your organization against a cybersecurity nightmare:
- Understand that healthcare facilities are — without any shadow of a doubt — a target; make sure that your employees all understand this stark reality as well. Numerous recent incidents should have made this clear, but not everyone has yet to internalize the nature of the present situation. Employees who believe that their information resources are under attack act differently, and more responsibly, than people who don’t fully accept this reality. If security is to be maintained, information security must become an integral part of every employee’s thought processes. To help employees internalize the importance of information security, do not just send out an email or hang up posters – have in-person discussions and meetings. Remember, you are communicating that your organization is under attack, and the weight that you give to delivering this message will likely be reflected in the seriousness that employees attach to information security going forward.
- Train employees on the basics of information security so that they know how to avoid cyber-risky behavior. Proceed with caution when opening email attachments, clicking on links found in unexpected email messages, downloading music or videos from rogue websites, or buying products from unknown stores with “too good to be true” prices and no physical contact information. Information security training materials can be found online, and many are free. However, never rely on training as a sole line of defense against any substantial risk. Many trained employees have still fallen prey to spear phishing and other social engineering types of attacks.
- Devise, implement, and enforce proper social media policies. Inappropriate social media posts can cause many problems, and often open the door for criminals to inflict terrible damage. Information overshared by employees has helped criminals craft highly-effective spear phishing emails used to trick other employees into installing malware, otherwise opening up organizations for data breaches. Problematic social media posts can also leak sensitive information, violating HIPAA and other compliance rules. Implement technology to ensure social media does not become a nightmare, whether employees use social media from work, home, or mobile devices. My company, SecureMySocial, offers this type of technology, but depending on your needs, there may be other options available on the market as well. Make sure you understand what risks you need to mitigate so that you can determine what offering is best for your company. You do not want to simply rely on telling employees not to post particular types of content on Facebook or Twitter. As history tells us, many people are completely unaware of how detrimental their actions can be. For those that do recognize inappropriate posts, there are still accidents to be made: inadvertently leaking data by cutting and pasting into the wrong window, using social media on a smartphone that “auto-corrects” a misspelled word to a sensitive term, or making a public social media post that was meant to be a private message (to note, the CFO of Twitter did just that – are your employees really more sophisticated when it comes to social media than he is?)
(This post originally appeared on the Recovery Brands Blog)