Employee Education Remains Critical to Avoid Ransomware Attacks in Health Care Organizations
December 28, 2018
More than a year after the May 2017 WannaCry cyberattack that severely impacted the health care industry, WannaCry still tops the list of major threats to health care organizations. According to a new report released by Kaspersky Lab, as of the third quarter of 2018, almost 75,000 users were affected by the virus. The report also revealed that employee education can be a critical factor in avoiding a cyberattack.
Kaspersky Lab is a global cybersecurity company. The organization teamed up with research firm Opinion Matters to poll 1,758 U.S. and Canada-based health care employees during October 2018. The survey’s goal was to learn more about health care cybersecurity and, specifically, prevention awareness among health care employees.
According to the survey results, 27 percent of health care IT employees reported that they were aware of a ransomware cybersecurity attack to their organization during the past year. Of those who knew about an attack:
- 33 percent of respondents reported that it happened more than once
- 78 percent of U.S. respondents reported that as many as five attacks occurred during the past year
In addition, 23 percent of respondents were confident about their organization’s security strategy; 9 percent expressed concern about their employer’s system.
Since most ransomware attacks are preventable with a comprehensive security strategy in place, the survey asked health care employees about their awareness of and adherence to IT security policies. Findings include:
- 73 percent of respondents reported that if they received suspicious email, they would report it to their IT staff, but 17 percent were unaware of the importance of reporting suspicious emails
- 17 percent of respondents admitted that they or a coworker responded to a third-party vendor email request for patient information
Recommendations from the report for health care organizations include:
- Ensure employees are aware of the protocols for security at their organization and educated about the latest threats and associated best practices
- Continuously raise awareness about threats through trainings and reminders
- Conduct security testing and internal simulations to better understand employee strengths and weaknesses surrounding cybersecurity
- Update operating systems on all network computers to the latest version available
- Restrict employee access to information they don’t need
Being proactive about employee awareness surrounding cybersecurity is an integral part of keeping a secure network in place, and protecting important patient and other information.
Hospitals should regularly assess their cybersecurity readiness and continuously work with employees to ensure they are aware of cybersecurity policies and response protocol. Additionally, hospitals should include cybersecurity scenarios in their crisis communications plans. Public information officers and communications staff should work with emergency preparedness and IT teams to prepare for the unique internal and external communications needs that may arise in the event of a cybersecurity breach.
HAP’s emergency preparedness team is available to assist member hospitals and health systems with cybersecurity incidents. Armed with knowledge about the latest trends in malware and compliance, staff is able to help hospitals:
- Assess individual situations and work toward limiting potential risks
- Maintain protocols, do necessary patches, and share best practices
- Comply with industry and national reporting requirements at both the state and federal levels in the event of a breach
In addition, HAPevolve, a subsidiary of HAP, is excited to now partner with Clearwater, a nationally-known cybersecurity firm with high-level expertise in health care-specific challenges. This strategic partner can help HAP membership with cybersecurity planning.
For more information about HAP’s emergency preparedness efforts, please contact Mark Ross, HAP’s vice president, emergency preparedness. For more information about crisis communications planning, contact Rachel Moore, HAP’s director, media relations. Contact Joe Tibbs, HAPevolve president, for questions about Clearwater services.