Phishing threats cause sleepless nights for security pros
While researching the wide-ranging 2015 HIMSS Cybersecurity Survey, HIMSS Senior Director of Research Jennifer Horowitz realized fairly quickly that "phishing" was much more than just a creatively-misspelled word. It's "the number one thing that keeps CISOs up at night," she says.
In polling nearly 300 healthcare information professionals for the security survey, "phishing kept bubbling to the top," says Horowitz. "We realized that one of the top reasons organizations said, 'Yes, we have an increased organizational focus on security,' is concerns around phishing attacks. It's one of the key types of security incidents organizations said they face."
The threat of cleverly-disguised, malware-laden scam emails was also something respondents feared would get worse in the future, she said: "a top-of-mind security concern for the people we spoke to."
[See also: Infographic: Phishing by the numbers]
The stark takeaway from the cyber survey is that a whopping 87 percent of respondents say data security has become vastly more important as a business priority for their organizations. And of those, more than two-thirds (69 percent) of respondents say the threat of a phishing attack is a top reason.
Nonetheless, even those hospitals that have taken a forward-leaning approach to security, two-thirds say their organization has already dealt with a "significant" security incident – phishing attacks and other online scamming, most notably.
Despite the common concept of a mass spam email, one thing many organizations might not realize is that phishing attacks – whether to con recipients into replying with inside information, or to infect their machines with malware via corrupted links – aren't always randomly distributed, according to HIMSS.
Indeed, certain employees may be targeted by cyber crooks because of their position – for the job title they have, and the types of information to which they may have access.
Clearly, phishing represents a major risk: One-third of respondents to the 2015 survey indicated they'd already been victimized by an email-based attack.
But while majorities of healthcare organizations are bulking up their network security protections and doing risk assessments, vulnerability scans and penetration testing, fewer than one-quarter of poll respondents said their organizations had tried to improve their readiness with mock phishing exercises.
Moreover, confidence in their ability to protect against such compromise was middling: With an average score of 4.61 on a scale of one to seven, respondents indicated only an "average" protective stance.
Perhaps that's why, when asked to identify their biggest future security fears, health organizations most commonly cited phishing attacks. And not just on their own, but in relation to other common threats: negligent insiders and advanced persistent threat, or APT, ttacks.
As the HIMSS report explains, "Negligent insiders may inadvertently divulge or leak information to an online scam artist, resulting in a successful phishing attack. Moreover, APT attackers may use phishing attacks as part of their arsenal (i.e., an APT phishing attack). These threats need to be addressed not only with technological innovation and processes, but also with security awareness, training and preparedness exercises as well."
"Healthcare organizations can be doing everything right – and based on our survey, which mostly polled larger hospitals, we found that they were doing a heck of a lot right," said Horowitz. "But it comes down to that education. And if one person inadvertently clicks on a link, you could have your entire environment compromised."
The bad actors setting their sights on healthcare "are really clever," she said. "And the ways they can compromise healthcare organizations are changing with lightning speed. So education and training are really important."
Another key is to "take a really proactive stance," Horowitz added. "We saw from our survey respondents that they were starting to take the perspective of operating as though they had already been compromised. You have to have that mindset."
After all: "You could be one click of the mouse from being the next headline."