• Politics
  • Diversity, equity and inclusion
  • Financial Decision Making
  • Telehealth
  • Patient Experience
  • Leadership
  • Point of Care Tools
  • Product Solutions
  • Management
  • Technology
  • Healthcare Transformation
  • Data + Technology
  • Safer Hospitals
  • Business
  • Providers in Practice
  • Mergers and Acquisitions
  • AI & Data Analytics
  • Cybersecurity
  • Interoperability & EHRs
  • Medical Devices
  • Pop Health Tech
  • Precision Medicine
  • Virtual Care
  • Health equity

To Fight Phishing, Let's Look at Fatigue

Article

It takes just one click for a hacker to attack a network and steal sensitive data.

Editor’s note: This is a column written by Jack Murtha, senior editor. His analysis reflects his views, not necessarily those of the magazine.

By 10:10 a.m. today, I received 2 separate warnings about attempted phishing attacks against the parent company of Healthcare Analytics News™. In one, a cyberattacker claiming to work for a bank attached a sketchy file to an email, requesting the recipient to review bogus failed transactions. In the other, the hacker posed as a FedEx employee and provided a link to where the mark could supposedly enter personal information to claim a package.

Neither intended victim has worked here in the past year. And although neither of these emails was remotely legitimate, both were the latest in a string of phishing expeditions whose potential negative effects are all too real.

How come, in 2018, phishing remains so common? The short answer is that phishing works.

>> READ: The MyFitnessPal Data Breach Must Resonate Beyond Its Userbase

In March, one such attack hit a national physical therapy chain and exposed the protected health information of more than 35,000 patients. That news followed a successful phishing trip in a Florida state health agency, jeopardizing 30,000 Medicaid patients’ records. And last year, the deceptive practice accounted for the highest number of healthcare cyberattacks, according to Theresa Meadows, MS, a hospital executive who cochairs a federal cybersecurity task force.

“The biggest recommendation that I have for hospitals, specifically, is to do ongoing education around phishing, ransomware, and malware,” she told this magazine in December, “because you’re only as strong as your weakest link.”

I’m guessing there are many weak links, in healthcare and beyond, these days. The relentless, rapid-fire nature of today’s scammers is getting overwhelming. Whether it’s the barrage of calls to my cellphone or shady email links and attachments, these digital bear traps seem to be becoming downright ubiquitous.

And I’m beginning to understand how fatigue can set in.

In healthcare, fatigue wears different costumes and carries different implications. The first and most obvious type of fatigue in medicine is the symptom affecting patients with any number of illnesses, from a cold to cancer. There’s also professional fatigue, the cloud of exhaustion and disengagement that sometimes leads to physician burnout and, in the worst cases, contributes to suicide. Another face of fatigue stems from tech—electronic medical record systems, digital alerts, you name it—which can cause clinicians to disregard serious alarms, endangering patients.

But a more universal form of exhaustion also places healthcare organizations, clinicians, patients, and just about everyone at risk. Call it cyber fatigue, security fatigue, cybersecurity fatigue. Whichever term you prefer, it describes a phenomenon in which computer users grow tired of the constant messaging surrounding the hacking threat, causing them to abandon cybersecurity altogether.

>> LISTEN: Finding Orangeworm

Research suggests a majority of computer users, spanning various age groups and backgrounds, deal with some form of cybersecurity fatigue. In turn, that sense of weariness translates to risky user behavior and a boon for malicious actors, according to studies and industry experts. “I don’t pay any attention to those things anymore,” one research participant told investigators, a casual disarmament of critical cyberdefenses.

Now, combine this lethargy with a finding from 2015 that suggests 97% of people can’t identify phishing emails, and we have a troubling puzzle. How can we teach computer users, meaning nearly everyone, to avoid phishing emails if most of us are sick and tired of thinking about cybersecurity?

There are ways. An organization can always jolt its employees out of complacency by performing a penetration test, complete with a phishing component, followed by an educational program. Healthcare information technology departments, meanwhile, must keep their systems up to date—always a vital step. They may also institute stricter email spam controls. But no measure is ironclad.

The key idea is to keep employees alert to the very real threat facing every resident of the digital world. Healthcare, specifically, is among the most targeted industries by hackers, and its data are perhaps the most sensitive of any field. And analyses suggest healthcare employees are the prime cause of cybersecurity meltdowns. If your people aren’t awake, your patients are at risk.

What worries me is the prevalence of phishing, the tenacity of social engineers. Every day, most of us manage a deluge of emails, including phishing attempts. The more often these attacks zoom by, the more likely the hackers are to catch us sleeping. And we’re all just one click away from upheaval.

Get the best insights in healthcare analytics directly to your inbox.

Related

If You Can’t Beat the Hackers, Join Them

Phishing Emails Play on Our Fear of Failure

Inexpensive Actions Against Expensive Data Breaches

Related Videos
Image: Ron Southwick, Chief Healthcare Executive
Related Content
Image credit: ©tippapatt - stock.adobe.com

Healthcare mergers may face more questions about cybersecurity

April 18th 2024
Article

In the wake of the Change Healthcare attack, regulators may look more closely at protections for data privacy as they examine deals, experts say.

The rise of third party cyberattacks in healthcare | Data Book podcast

The rise of third party cyberattacks in healthcare | Data Book podcast

March 11th 2024
Podcast

Dan Dodson, the CEO of Fortified Health Security, talks about the risks to hospitals, AI in attacks and defense, and what health systems can do to protect themselves.

Image credit: American Hospital Association

Change Healthcare cyberattack: Health leaders ask Congress for help with cybersecurity

April 17th 2024
Article

During a House panel hearing on the attack, hospital and health industry leaders urge lawmakers to help deal with attacks from ransomware groups.

Hospitals face evolving threats from cyberattacks | Data Book podcast

Hospitals face evolving threats from cyberattacks | Data Book podcast

December 7th 2023
Podcast

Michael Hamilton, founder and chief information security officer of Critical Insight, talks about trends in attacks and emerging threats in the coming year.

Image: Ron Southwick, Chief Healthcare Executive

Change Healthcare cyberattack: Lawsuits emerge, and more are coming

April 5th 2024
Article

Several suits have already been filed and others are expected due to the ransomware attack that has affected hospitals and providers nationwide.

Image: Ron Southwick, Chief Healthcare Executive

American Hospital Association CEO talks about Change Healthcare ransomware attack and cybersecurity

April 4th 2024
Article

Rick Pollack discussed the cyberattack and its ramifications at the Hospital + Healthcare Association of Pennsylvania Leadership Summit.

© 2024 MJH Life Sciences

All rights reserved.