Every type of industry and every person is at risk of phishing attempts. However the healthcare industry is a particularly large target.
Healthcare databases contain an extremely large a variety of personal information, including addresses, dates of birth, social security numbers, and payment methods. The healthcare industry has access to more personal data than most industries, which is why it is highly targeted by cyber criminals.
What exactly is a phishing attack? Phishing attacks are a malicious way of stealing valid credentials through a method of social engineering. Often attackers send emails, which appear to be very legitimate. But in reality these emails are a way of tricking users into clicking on links that can either install malware or cause them to enter their credentials.
Recent information has proven that a common way attackers are legitimizing these emails is through deceptive subject lines. And the most common subject line is appearing as “Payment Notification,” making users believe the emails contain important information.
We spoke with our CEO, Paul Sponcia, to discuss what companies, (both in the healthcare industry and in other industries), should be doing to protect themselves. He shared:
- “First off, they should ensure that all of the low hanging fruit is cleaned up, spend smart money on good things such as: Spam solutions, normal antivirus, good firewall defense, ensure they are blocking websites people shouldn’t go to, and that they have some system in place to stop people from going to known malware and botnets. That is number one.”
- “Next, they should ensure someone is watching these systems – you CANNOT set it and forget it. These systems require management, updates, monitoring, updating, tweaking and responding to changes.”
- “Finally, you should ensure they have an extensively trained and sufficiently paranoid workforce. Most people think emails and directing people to some YouTube videos works, but it doesn’t. You need a system in place, integrated with your systems, that is not only designed to provide simple to use and watch training (30 second to 3 min long) but also the accountability to monitor that it is being done AND THEN test people to see if they still fall for tricks”
We also asked Paul what it is that we do at The IT Company to protect customers.
“A large group of our customers have some of the basics, but we have been rolling out more advanced features such as 1) advanced threat protection at the firewall, the intrusion system, the windows servers and remote access. These provide ongoing monitoring and alerting, as well as logging of security events and helps to prevent, as well as know faster, when something has happened; 2) Security Awareness Training Systems – some of our newer customers are seeing this but older customers need it to. These are the tools to train and be accountable for the training, as well as testing users to see who falls for Phishing scams, as well as voice and text; and 3) Two-factor authentication – this is newer but is readily available in Microsoft Office365, and also can be integrated with your Windows and Citrix logins. This ensures that you are who you say you are, and will largely stop a great deal of issues if your account is compromised.”
Phishing attacks are becoming more vicious all the time, follow these suggestions to protect yourself and your company!