Securing Healthcare Data from Phishing
One of the chief areas of online security that all HIPAA-covered entity should focus on is to protect healthcare data from phishing. Phishing attacks are happening with greater frequency in the healthcare sector than ever before.
Phishing attacks on the healthcare sector usually have one of two aims – to gain access to PHI or to send ransomware. PHI is now a valuable commodity on the black market as it can be used to establish false identities, obtain free medical treatment, and commit insurance fraud. Once ransomware has been downloaded on a healthcare organization´s network, hackers can demand massive ransoms for the encrypted files to be unlocked.
The amount of phishing attacks on the healthcare industry is growing, despite groups providing online security training to staff. Many of the successful attacks happen due to the increasing number of employees using their mobile devices at work, who fail to use their online security training to their mobile online activities. With the increased adoption of BYOD policies in the healthcare sector, groups need to grow their efforts to protect healthcare data from phishing.
How Phishing Attacks on the Healthcare Sector Take Place
Before detailing how to protect healthcare data from phishing, it is best to outline how phishing attacks on the healthcare industry work. Most phishing attacks on the healthcare sector are deployed by email – although attacks through social media and malvertising are also known to have happened. The communications generally appear authentic, and instruct employees to follow a link to visit a web page – where they will be directed to complete some action that will trigger a malware download or enter their username and password to go on.
The malware installation may not necessarily include. Surveillance software like adware and keystroke loggers can be downloaded to follow an employee’s online activities and record their usernames and passwords. Other sorts of malicious software can be installed to establish gateways for hackers to enter a group’s network remotely. If the phishing attempt has been successful in obtaining a username and password, the cybercriminal will likely be able to access PHI almost at once.
How to Safeguard Healthcare Data from Phishing
As there are so many way for employees to be sent communications instructing them to visit an unsafe website, the best way to protect healthcare data from phishing is to stop employees from being able to visit the unsafe website. This can happen with the use of a web filter that is set up to deny access to fake websites and websites harboring malware, and that will block the installation of file types most commonly linked to malware.
- Blacklists forbid access to websites known to be unsafe or who mask their true identity behind a proxy server. Blacklists are updated often to reflect recently-reported phishing attacks on the healthcare industry and other dangers to online security.
- Category filters forbid access to categories of websites that usually harbor malware. System administrators can set up web filters to deny access to many different categories of website, such as those containing pornography, freeware or pharmaceutical products.
- Keyword filters permit system administrators to fine-tune web filtering parameters to manage access to websites containing specific words or file types. Similar category filters, keyword filters can be set by individual users, user-groups or universally.
These three controls work in unison to protect healthcare data from phishing and to stop other web-borne threats. Most web filters to stop phishing attacks on the healthcare sector now also have SSL inspection to decrypt, read and re-encrypt apparently safe websites to check for the presence of malware. Sadly, an SSL certificate is no longer a guarantee of security and many apparently secure sites have been seen to have security vulnerabilities that could be exploited by a cybercriminal
How Web Filters Assist Workplace Productivity
In addition to improving a healthcare group’s online security posture, the mechanisms used to protect healthcare data from phishing can also be used to assist workplace productivity. The increased implementation of BYOD policies in the healthcare sector lead to a higher potential for employees to engage in “cyberslacking” – the practice of using a group’s Internet service for non-work related activities.
Although some personal use of the Internet at work is thought by some to be good for productivity, too much personal use can have negative effects and cause resentment among co-workers. System administrators can set the parameters of a web filter in order to stop the abuse of Internet privileges, avoid possible HR issues and enforce acceptable use policies – either by individual users or user-groups as mentioned earlier, or with time-based controls.
Other Advantages of Web Filtering for the Healthcare Sector
Web filtering for the healthcare sector can have other advantages beyond helping to protect healthcare data from phishing and enhancing workplace productivity. In medical centers where bandwidth is a problem, web filtering parameters can be set to restrict how much bandwidth each device is permitted within a certain time, or to limit access to bandwidth-hogging websites such as video streaming websites during the busiest part of each day.
A web filter can also be used to stop hospital patients and visitors from being exposed to objectionable material being publicly seen by another patient or visitor, or a child being exposed to adult content while waiting for a hospital appointment. Many hospital patients and visitors want to be able to log on to hospital WiFi networks, and will appreciate a safe browsing environment – free from the threat of malware and exposure to inappropriate content.