While computers are now essential in every workplace, including healthcare organizations, that doesn’t mean that most professionals who use them every day understand how easily they can be weaponized. Healthcare organizations have become a favorite target of thieves and ransomware gangs for a variety of reasons, starting with the critical services they provide. Shutting off access to patient records impacts appointments, surgeries, prescriptions, and even prognoses. When every second counts, the consequences of a comprehensive data or administrative failure can be fatal.
Given these inherent risks, hackers realize that there is a higher likelihood of their ransom demand being met. To pay or not to pay? Either way, the resolution is going to be expensive. Those who opt not to bow to extortion face a significant investment in restoring IT systems, as well as attorney costs and legal liabilities from the class action suits that inevitably follow a breach. Those who pay the ransom are not immune to these consequences either.
The most effective strategy to avoid becoming the next victim is to take preventative action that lowers the risk of a successful breach. While your servers may have been hardened to resist ransomware, hackers have shifted their focus to another vector of attack – your employees. Whether it’s the CEO who has run the hospital successfully for a decade, or the new admissions rep hired just a few weeks earlier, each one has the power to prevent an infiltration opportunity.
Such attempted breaches are often successful due to the sheer number of personnel employed in many healthcare organizations. Add to this the growing sophistication of phishing emails, many of which now incorporate artificial intelligence (AI) that can be trained to quickly identify and focus on the most target-rich individuals—those who are more likely to accept a personalized email as authentic.
We’re a long way from the old “Nigerian prince” scams; today, thieves leverage personal information from data brokers and people finder services. By combining this data with social media profiles, public records, school records, GPS data, and additional content from other online sources, scammers are armed to customize a phishing email capable of misleading even the most vigilant recipient.
Few people would be taken in by a notice allegedly from Microsoft or eBay, mentioning an overdue invoice that needs to be paid. Such emails often contain spelling and grammatical errors that make them even more suspicious: “This will be charged immediately unless you tell us invalid is this invoice.”
