Holiday cybersecurity: Defense tips for hospitals to get systems through the season

More employees work remotely and shop online during the holidays and, as a result, cybercriminals increase their attacks on healthcare and other organizations.
By Bill Siwicki
09:37 AM

Historically, organizations in various industries, including healthcare, have seen spikes in cyberattacks during November and December. This is in large part due to the fact that during the holidays, employees often are not in front of their desktop computer and instead performing tasks remotely – and more likely to click on links or get duped by spear-phishing emails, cybersecurity experts said.

At the same time, hospital IT and security workers are on vacation during the holidays and it is thus more difficult for these teams to respond to cyberattacks.

[Also: Tactical cybersecurity: Military war-gaming comes to healthcare]

Cybersecurity experts have some tips for healthcare information security specialists to help best protect data during the hectic holidays.

“Make sure your domain is protected against spoofing attacks before the holidays, since too often attackers use the holiday season to spoof healthcare providers’ domains to impersonate the provider and trick their patients when they are least suspecting it,” said Asaf Cidon, vice president of content and security services at Barracuda Networks, a vendor of cloud-enabled security and data protection systems.

Another tip from Cidon is to set up an internal phishing training session before the holidays arrive. This helps ensure employees are on high alert and are more likely to spot anomalies and potential risks in email.

And healthcare organizations should set up two-factor authentication on all email accounts, Cidon suggested. As many employees are traveling, attackers are more apt to log in to their accounts from remote locations, Cidon added.

[Also: So your hospital has been breached; Here's what you must do now]

Healthcare employees who have brought some work with them to do while away need to remember that while joining free Wi-Fi from the corner coffee shop is convenient, it undoubtedly puts them at risk. Many unsecured networks have open access points that cybercriminals can hijack, modifying communications to those networks.

“For a nominal fee, hackers can set up a free Wi-Fi hotspot similar to your coffee shop’s and plan a middle-man attack to collect everything going across their wireless network, including important company credentials,” said Bill Ho, CEO of Biscom, a secure document and messaging systems company with a cybersecurity practice. “Instead, use your phone as a personal hotspot if you don’t have a company-issued one.”

Then comes online shopping on the job. The holiday season is the busiest for online retailing, and employees at all organizations, including healthcare, are on the hunt for deals and looking to wrap up their holiday gift purchases.

“Seventy percent of shoppers admit they are more likely to purchase items from an unknown online retailer if the right deal came across,” Ho said. “This lackadaisical approach makes you hugely vulnerable to cyber risks. If you’re going to do some shopping on the company computer, and who doesn’t from time to time, there are three things to keep in mind.”

First, never use one’s work email to sign up for deals, newsletters or member accounts, especially from new or unknown retailers. Second, pay attention to whether a site is accredited and certified to process payments. And third, never click on suspicious links in one’s work email. Let the IT or cybersecurity team know of any potentially malicious links – that can help them block future phishing scams, or at least let others know what to watch for.

As the new year approaches, healthcare leadership should make a habit of reviewing corporate policies around security and proper data usage with their teams, Ho advised.

“There’s never a bad time to employ regular cybersecurity training, but it’s timely over the holidays as cyber risks rise,” he said. “For leaders in the healthcare space, make sure you and your team know how to identify and avoid malware, phishing scams and other social engineering attacks through regularly scheduled education sessions, mock attack audits, and thorough debriefs should a cyberattack ever occur.”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.