I remember when fishing meant finding a quiet lake with my dad during one of our family camping trips, putting a disgusting worm on a hook and throwing a line out into the water. Aside from the worm stuff, it was serene and peaceful. Now, however, the sophistication of technology and the increase in criminals, gives fishing (phishing), a whole new meaning.
No longer serene, phishing is an activity that many are unaware is even happening until they are on the “hook” for outrageous amounts of money as a result of a breach and the penalties associated with it. Regardless of the kind of security systems you have in place, the number one cause of most breaches is human error – something you can decrease. It was recently reported that thirty percent of medical breaches were a result of an employee being on a social networking site at work.
According to Ponemin Institute, it is predicted that 89% of healthcare organizations will experience a breach, 79% of you will face multiple breaches and 45% will experience five breaches. That is alarming, but not impossible to control. Since one of the leading causes of an attack is unintentional employee actions, you can educate your staff on the Do’s and Don’ts of digital media.
As an organization of educators, you put value in learning. However, staff education is a piece that tends to be last in line for budget approval. Since it is highly unlikely you will keep your staff off the Facebook, you need to teach everyone in your organization how to surf smart so they don’t get phished! Your firewall and security software is important, but it’s only half the equation. Making your staff a human firewall should be your first line of defense.
Does your staff know the difference in fishing and phishing? Or phishing and whaling? If so, do they know how to prevent it? Does your FedEx, UPS, or mailman sign in when they deliver to your office or are they just running free? What about your pharmaceutical reps? Just because you recognize their faces doesn’t mean they are trustworthy and should have access to your records. When you are checking in your patients, can the folks in the waiting room hear them recite their personal information? Or are you like my pharmacy where you shout out your phone and address so that everyone in the store can hear! Are your devices encrypted? Most breaches that were associated with device theft were from stolen devices weren’t encrypted.
Your HIPAA training is required only once a year; however, a good compliance program is something that you continually should work on. Most don’t, which makes them a “Big Fish” for hackers. It’s been estimated that the average cost of a breach is around $200 per employee, yet training can be as low as $20 per person. Learners gotta learn!