In 2019, Healthcare saw a 71% rise in the number of confirmed cybersecurity breaches compared to 2018. That rise occurred before the global pandemic increased everyone’s reliance on personal or mobile device usage. With the digital shift, cybersecurity incidents in 2020 have become even more prevalent. Bad actors are opportunistic and the turmoil of 2020 has given them even more material to bait users.
In light of this, it’s critical that our workforces adapt. Training end users to be vigilant against cyber-attacks is the first step towards keeping your organization secure. Here’s how Agio Healthcare’s programmatic approach to security awareness empowers clients to protect and defend their data from bad actors.
Why Ongoing Threats Require Ongoing Education
Ransomware is an ongoing threat to every organization. In fact, studies predict that by 2021, there will be a ransomware attack on businesses every 11 seconds. While the compromise of medical files and systems is serious enough, ransomware attacks can be catastrophic when they result in physical harm to patients. Just last month, a German hospital was targeted by ransomware, contributing to the death of a patient. This attack is the first known patient death indirectly caused by a ransomware attack.
According to Verizon’s 2020 Data Breach Investigations Report (DBIR), social engineering attacks are linked to about 22% of breaches—the majority of which occur via email (96%). Common forms of social engineering attacks include phishing, spear phishing, pretexting, smishing, and impersonation.
Domain spoofing —another cybersecurity threat that has skyrocketed since the beginning of the pandemic—is the act of buying domains that capitalize on variations of opportunistic phrases. In fact, Check Point reports that “Coronavirus-related domains are 50% more likely to be malicious than other domains registered at the same period.” Employees must remain vigilant against fraudulent links and use reliable sources to obtain factual information about COVID-19.
Using these tactics, bad actors trick your users into sharing privileged or confidential data. Over time, phishing, pretexting, and domain spoofing have become increasingly sophisticated, making it more critical than ever for employees to be able to identify and prevent an attack.
How Training & Testing Can Protect Your Organization
In an effort to elevate the security of data and protect patient lives, the Office for Civil Rights (OCR) has included security awareness training as a vital compliance mandate. Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements that are inclusive of all employees, patient care providers, and vendor partners. The standard (to have a security awareness and training program) is required and includes education around malicious software, authentication, passwords, and other best practices around policy and response.
To reduce your susceptibility to a cyber-attack, to satisfy many compliance mandates, and following industry security best practices, Agio Healthcare recommends an ongoing and all-reaching Cybersecurity Awareness Program that is designed specifically for your organization and which provides cybersecurity awareness training and testing for both end users and organizations as a whole.
Training for End Users: When it comes to your employees, we recommend a structured and methodical approach to training that exercises best practices and uses real-world testing to fortify the responses by and the defense of your resources.
An effective security awareness program includes:
- On-site, virtual, and/or online security awareness training and seminars
- Periodic, ongoing, and remediation testing of your end users via social engineering techniques
- Posters, newsletters, and other content “dripped” to your employees throughout the year
- A focused, executive-led seminar, presentation, or video that reinforces the company’s commitment
- The ability to measure awareness and improvement related to the training
- Clear guidelines, policies, and procedures for how to report suspected security issues.
We encourage our clients to create engaging content and creative ways to deliver messaging to enhance the likelihood that key themes and lessons are remembered. Holding a Security Awareness day and utilizing gamification, competitions, role-playing, guest speakers, and videos are just some of the ways that we have seen companies embrace their training programs. The key to ensuring the event is engaging for employees is to incorporate interactive content and scenarios that are timely and relatable. A common time to hold this event is during National Cyber Security Awareness Month, which falls in October. Led by the Cybersecurity & Infrastructure Security Agency (CISA), this year’s theme is “Do Your Part. #BeCyberSmart.”
Our comprehensive approach enables organizations to regularly train and test employees and measure their results over time.
Security Awareness Training & Readiness for Organizations: From a minor incident to a critical breach, your organization’s success lies in the speed of detection, effectiveness in containment, and accuracy of remediation. In addition to training your employees, how should you prepare? Agio Healthcare recommends a range of testing and readiness activities to supplement your employee training—advanced training and testing in the form of resiliency testing, incident response, disaster recovery, and tabletop exercises.
One way to test an organization’s cyber resiliency is by preforming a breach emulation. This test is designed to mimic a real attack to your organization and to determine whether your security controls and/or staff can “catch” common forms of ransomware.
Tabletop exercises are an effective mechanism to shape, enhance and test the awareness of decision makers—and the gamification of the exercise yields a higher level of engagement of participants.
Our team recommends testing on an annual basis to evaluate how various departments within your organization interact with each other when faced with an attack.
The fact is, we live in a fast-paced world with no signs of slowing down—it’s inevitable that a busy employee will click on a link without first stopping to evaluate its legitimacy. But with the right tools and training, the ramifications can be mitigated.
Agio Healthcare’s Security Awareness 360° program helps you implement a perpetual learning program of “test-train-retest.” Through social engineering campaigns, end-user training, and resilience testing you can lessen your organization’s risk exposure, even in today’s rapidly evolving threat landscape. Contact us for a training needs analysis—we’re here to help.