The digitization of the health care industry has been highly beneficial, enabling doctors, nurses, caregivers and other health professionals to work more efficiently and reliably. Yet, this reliance on technology for crucial health care services comes with a significant drawback: an increased risk of cyberattacks. Criminals have increased their focus on exploiting health care facilities and attacks have grown so widespread that researchers found 1 in 3 Americans were impacted by a health care breach in 2023.

Last month, insurance provider UnitedHealth fell victim to a massive ransomware attack by the Russia-based ransomware group ALPHV/BlackCat. The group caused widespread outages to hospitals and pharmacies across the country, stole millions of patients’ personal information, and forced UnitedHealth to pay a ransom of $22 million.

UnitedHealth isn’t the only major health care organization to be impacted by cyberattacks. Last July, HCA Healthcare fell victim to a breach that exposed the personal data of more than 11 million patients across 20 states. In November, the medical transcription company Perry Johnson & Associates experienced a cyberattack that exposed highly sensitive information for nearly 9 million patients.

Many health care organizations recognize the evolving threat landscape and are hyper-focused on technical defenses to avoid a similar fate both to be in line with regulatory requirements and as a duty of care to patients. However, it isn’t the only aspect of cybersecurity to consider; human error can undermine many elements of their strategy and allow criminals to successfully land attacks using straightforward methods.

To complement cybersecurity infrastructure and provide robust protection against threats, especially those arising from human error, health care leaders should prioritize comprehensive cybersecurity training for all employees.

How Criminals Exploit Human Behavior

Cybersecurity infrastructure is an absolute necessity for health care organizations, but these threats employ alternative tactics that exploit human behavior to circumvent these measures. Below are a few ways cybercriminals exploit human behavior:

Social engineering: This tactic focuses on manipulating employees into sharing personal information, such as account credentials and authentication requests. Social engineering can also be used for adversary-in-the-middle attacks, which sometimes can involve tricking users into uploading their credentials into fake web pages for easy collection.

Phishing: A tactic that leans on social engineering. Cybercriminals will often pose as legitimate people from within and outside their organization, and send communications that trick employees into clicking on a malicious link or sharing sensitive information.

Spam: Many employees receive hundreds of fake unsolicited emails (spam) from unknown sources, most of which are collected by automated filters. While many spam messages are harmless advertisements some contain dangerous links that include viruses, malware and other malicious software.

Weak passwords: Complex passwords greatly enhance security, but the need to manage numerous accounts daily often leads people to use simpler or serialized (ex. Spring2024 to Summer2024, etc.) passwords for easier recall. This translates into the workplace as well as to remote working, especially if the organization neglects to implement multifactor authentication, an additional layer of security designed to confirm users’ identities, for their work accounts.

Unsecure Wi-Fi networks: Remote work is common across the health care industry, especially for administrative tasks and for accessing data while offsite. The drawback is employees may use unsecured Wi-Fi networks, which could allow for cybercriminals to easily exploit connected devices if steps aren’t taken to secure equipment, data workflows and users.

Cybersecurity Best Practices For Health Care Workers

It’s crucial health care organizations always invest in advanced security measures to ensure confidential information is safeguarded. But organizations can significantly improve the effectiveness of their cybersecurity strategy by creating a human firewall: a philosophy of continuously teaching all employees how to identify and combat cybercriminals, while emphasizing a security-centric culture to mitigate threats.

Health care organizations should adhere to the following best practices to build the best defense against cyber criminals:

Continuously educate employees on cyber threats: Conduct regular training on common cybersecurity threats for health care employees at every level. This can help them avoid falling for common tricks while keeping them updated on the last methods to heighten their awareness.

Enact cybersecurity policies for employees: Implement a detailed cybersecurity policy so employees fully understand how to work safely and securely. This includes password management, using multi-factor authentication for logins, and policies for using company devices on unsecured networks.

Encourage employee communication and transparency: Set up communication channels for employees to report suspicious activity to information technology (IT) or cybersecurity teams and their co-workers. This will help teams manage threats before they evolve into bigger problems and can prevent other employees from falling into a trap.

Develop a cybersecurity response plan: Even with thorough, ongoing cybersecurity training, people can still make errors that lead to a breach. Keeping this in mind, health care organizations should have a plan in place, so employees know exactly what to do if criminals manage to compromise any connected devices.

As many organizations have experienced, a health care breach can lead to devastating consequences for the organization, its patients and its employees. However, by following best practices and adopting an ongoing security awareness approach, health care organizations can keep their employees well trained against the most common attack vectors and decrease the likelihood of a successful attack.