Phishing is #1 threat

Phishing has been identified as the #1 threat action used in successful breaches, according to Verizon’s 2019 Data Breach Investigations Report. In its 2019 Phishing By Industry Benchmarking Report, Knowbe4 furthered Verizon’s investigation, noting that unlike other hacking strategies, phishing criminals exploit social engineering (how people think and react) to take advantage of employee naivete.

Through a combination of emails, phone calls, and other outreach methods, phishers persuade your staff to act in ways that open the door for criminals to access your organization’s data and funds.

How phish-at-risk is the healthcare industry?

Across all industries and organizations of all sizes, the average phish-prone percentage was 29.6 percent, up 2.6 percent from 2018. That means that nearly one of every three employees was likely to click on a suspicious link or email or obey a fraudulent request.

What does that look like in the healthcare and pharmaceutical sectors? Pretty phishy. For organizations of 1-249 employees, the risk of getting hooked is 33.1 percent. If your organization is larger – say 250-999 employees, the percentage is slightly less at 32.9 percent – but still a big number. For employers with 1000 or more employees, the risk decreases a bit further – where 27.6 percent of all employees are likely to be hooked by a fraudster.

Can training help minimize phish-susceptibility?

Yes. But there will still be some who persist in clicking anyway. Investing in a combination of computer-based training and phishing security testing can cut phishing exposure by half. But there still are exposures.

Larger companies still report higher exposures despite implementing training. In the healthcare/pharma category, organizations under 249 employees saw their phishing exposure decrease to 17.8 percent. Mid-sized providers saw an even larger decrease – to 14.8 percent. However, the rate of phish exposure in large employers – 1000+ – only fell to 19 percent.

Can fake phishing help?

It can, but must be followed by testing and likely more training. KnowBe4’s whitepaper urges companies to “phish their users.” Do it at least once to highlight the issue. Do it again to reinforce training. And then do it at least once each month to reinforce.

Combine phish training with compliance training as a strategy to remain HIPAA-compliant and to demonstrate to the regulators you are actively working to protect patient data.

Compliance matters – in training and data protection

Regardless of industry or, in some cases, geography (Healthcare/Financial Services/Insurance – in the US or Canada), no one is immune from oversight and regulatory compliance.

Errors happen. Intentional omissions happen. Someone will eventually click a hacker’s link or fall prey to a predatory scam. And then, where are you?

In a better place, if you have a protocol in place to stop phishing and to secure patient data.

A vigilant, well-run compliance system can spot irregularities and give an attentive compliance team a chance to nip exposures before they get out of hand. Patrina can help. We’ve built our business based on helping organizations keep track of “bad apples,” and stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective, designated third-party services, our comprehensive 8-module compliance solution, and compliant data capture & file storage, and records archiving specifically designed for the healthcare, insurance, and financial services community. Be smart. Be covered. Let’s talk.