It’s just an innocent, blue, highlighted, underlined sentence in an email asking you to click. What’s the harm in just one little click? That little, half-second click is it all it takes…

In 2017, healthcare organizations are predicted to be one of the top targets for cyber security threats. Historically, healthcare has ranked in the top of the list, but this year it has moved to the front of the line. Security breaches involving more than 500 records have increased 300% in the last three years. The recent announcement from CMS at https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-17-17.pdf confirms just how serious everyone needs to treat this issue.

Since the moment you started reading this blog until now, hackers have already come up with hundreds of new ways to attack your network and systems. New forms of viruses, malware and ransomware have been designed to outsmart your cyber security software and hardware. Legitimate web sites have been hit with hackers hiding malicious software that is launched when you open an infected page.

Your employees’ access protected health information every day over your network through PC’s, tablets, and mobile devices. You and your IT department are confident in the security protection you have in place. You’re anti-virus/malware software is updated every day, you have network intrusion detection, email scanning, and advanced internet filtering and reporting tools that block malicious sites.   

Everyone does his or her usual routine for the beginning of a workday, which includes checking work email. A mass email has been sent out to 500 employees from what looks like a legitimate email address from someone within the organization. The subject line has a message that looks important.  At least 150 of your employees will open it, according to statistics. Out of those who opened it, 18 will make that one little click. 

But why should you be worried? All of your security protection was put into place to avoid any attacks. Unfortunately, your internet-filtering device fails to block the threat because it does not automatically update the list of known malicious web sites.  Your intrusion detection system has been logging a higher than normal amount of external attempts to access the network. No one in your IT department has looked at the reports for a few days.  You do not have an intrusion detection system that automatically notifies IT of potential attacks. Your anti-virus/malware software vendor does not have a patch for the attack launched today. You do not have a centralized anti- virus/malware management system that automatically tells you what devices are at risk.

All Because Of One Little Click

Now what? The hackers could have accessed a file or report that one employee saved in an email, personal file, corporate shared file or laptop containing protected information. This is only the beginning.

Identity theft victims will most likely find out months later when their credit card statement has fraudulent charges or unexpected collection letters. Studies have shown it will cost them an average of $13,500 and 200 hours to fully recover. 

What about your organization? You will have to report the incident to the Department of Health and Human Services and notify all individuals involved. You will be required to send out a press release and post on our web site the details of the incident if more than 500 records were breached. Millions of dollars and valuable time will be spent to restore the records that have been stolen not to mention the impact on your reputation.

Policies, procedures, training, and follow-up training are the steps you have taken first.  You continue to educate and train new employees.   What else can you do?  Train employees on what phishing looks like: misspelled words in emails, sense of urgency, spoofing (slightly altered email and web addresses), and some sort of call to action. Other preventative measures like cutting off network access and system access to all software for terminated employees, and having them return all company owned devices before they leave. These devices need to be wiped clean of all files and programs. If mobile phones are used, make sure you have a mobile device management system in place that can encrypt text messages and control what apps can be loaded.  You also need to prevent email from being stored on personal smartphones.

Most importantly, the more layers and more eyes you have on your network the better.  IT departments need to be at the front of the battle line, ensuring the security layers are sufficient. Cyber Security tools require constant attention and oversight every day.   Backup and recovery systems need to be implemented and tested on a regular schedule. If a data breach happens, you need to have the option to shut down the first point of threat.  If you have the necessary back-up systems in place, you will need to restore all previous data before the threat occurred.

The more eyes the better. Your network should be constantly monitored for any penetrating threats. These threats can occur up to 500 times per second, a statistic you do not want to take a chance on. If internal resources are not available and reliable, outsourcing your IT, Cyber Monitoring, and annual Risk Assessments may be your best solution.

Please do all you can to safeguard your organization for 2017.

Remember, that one little click is all it takes http://www.preludeservices.com

Dennis Stufft is president/CEO of Prelude Services. He may be reached at information@preludeservices.com.